HIGH
net/tunnel Stats Corruption
CVE-2026-23459
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
KernelScan AI7.5HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: ip_tunnel: adapt iptunnel_xmit_stats() to NETDEV_PCPU_STAT_DSTATS Blamed commits forgot that vxlan/geneve use udp_tunnel[6]_xmit_skb() which call iptunnel_xmit_stats(). iptunnel_xmit_stats() was assuming tunnels were only using NETDEV_PCPU_STAT_TSTATS. @syncp offset in pcpu_sw_netstats and pcpu_dstats is different. 32bit kernels would either have corruptions or freezes if the syncp sequence was overwritten. This patch also moves pcpu_stat_type closer to dev->{t,d}stats to avoid a potential cache line miss since iptunnel_xmit_stats() needs to read it.
02KernelScan AI Analysis
Risk summary
Systems using VXLAN or GENEVE tunnels on 32-bit kernels are at risk of memory corruption or system freezes when transmitting packets. The vulnerability affects tunnel statistics handling and can cause kernel instability through corrupted synchronization primitives.
Vulnerability analysis
The root cause is that iptunnel_xmit_stats() assumed all tunnels use NETDEV_PCPU_STAT_TSTATS, but recent changes made VXLAN/GENEVE use NETDEV_PCPU_STAT_DSTATS instead. These two statistics structures have different memory layouts, specifically different offsets for the syncp field. When iptunnel_xmit_stats() writes to what it thinks is the syncp field in pcpu_sw_netstats, it actually overwrites unrelated memory in pcpu_dstats. On 32-bit systems, this corruption of synchronization primitives can cause freezes or data corruption. The fix adds proper type checking to use the correct statistics structure based on dev->pcpu_stat_type, and moves this field closer to the stats pointers for better cache locality.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.19 | 6.19.10 | 0d087d00161f |
| mainline | 7.0 | 8431c602f551 |