CVE-2026-23143 Overview
A memory misalignment vulnerability has been identified in the Linux kernel's virtio_net driver within struct virtnet_info. The vulnerability arises from improper handling of flexible array members (FAM) in the virtio_net_rss_config_trailer structure, causing a one-byte misalignment between rss_trailer.hash_key_data (offset 83) and rss_hash_key_data (offset 84). This misalignment results in the RSS key passed to the device being shifted by one byte, potentially exposing uninitialized memory and causing incorrect RSS configuration.
Critical Impact
Memory misalignment in virtio_net driver can cause RSS key data corruption and potential exposure of uninitialized memory bytes in virtualized network environments.
Affected Products
- Linux kernel with virtio_net driver
- Virtual machines using virtio network interfaces
- Systems utilizing RSS (Receive Side Scaling) with virtio networking
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23143 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23143
Vulnerability Analysis
The vulnerability exists in the drivers/net/virtio_net.c file where the struct virtnet_info contains a flexible array member that is improperly positioned relative to other structure members. The compiler warning -Wflex-array-member-not-at-end indicates that a structure containing a flexible array member (hash_key_data[]) is not positioned at the end of the parent structure.
The struct virtio_net_rss_config_trailer contains three members: max_tx_vq (2 bytes at offset 0), hash_key_length (1 byte at offset 2), and hash_key_data[] (flexible array at offset 3). Due to structure padding rules, this structure has a total size of 4 bytes with 1 byte of tail padding.
When embedded in struct virtnet_info at offset 80, the rss_trailer occupies 4 bytes (80-83), but the flexible array hash_key_data starts at offset 83. The subsequent rss_hash_key_data[40] array starts at offset 84, creating a one-byte misalignment. This causes the RSS hash key data to be incorrectly offset, with the last byte being cut off and a potentially uninitialized byte being prepended.
Root Cause
The root cause is the improper placement of a structure containing a flexible array member within a larger structure. The C language standard requires flexible array members to be at the end of structures, and when embedded structures violate this, memory alignment issues occur. The fix introduces the TRAILING_OVERLAP() helper macro to create a union that correctly overlays the trailing members onto the flexible array member while maintaining proper alignment.
Attack Vector
The vulnerability is triggered when the virtio_net driver configures RSS (Receive Side Scaling) settings. The misaligned RSS key data can result in:
- Incorrect RSS hash calculations leading to improper packet distribution
- Potential information disclosure through exposure of uninitialized memory bytes
- Network performance degradation due to incorrect RSS configuration
The vulnerability requires local access to a system running virtualized networking with virtio_net driver and RSS enabled. While exploitation is limited, the memory misalignment could be leveraged in combination with other vulnerabilities to leak kernel memory contents.
Detection Methods for CVE-2026-23143
Indicators of Compromise
- Unexpected network packet distribution patterns in virtualized environments
- Kernel warnings related to flexible array member alignment in virtio_net module
- RSS hash key mismatches between configured and actual values
- Anomalous memory access patterns in virtio_net driver operations
Detection Strategies
- Monitor kernel logs for -Wflex-array-member-not-at-end compiler warnings during kernel builds
- Implement runtime verification of RSS key configuration integrity
- Use memory debugging tools (KASAN, KMSAN) to detect uninitialized memory access
- Audit virtio_net driver initialization sequences for alignment anomalies
Monitoring Recommendations
- Enable kernel memory sanitizers in development and testing environments
- Monitor virtio_net driver behavior using kernel tracing (ftrace, perf)
- Implement network traffic analysis to detect abnormal RSS distribution patterns
- Review system logs for virtio_net related warnings and errors
How to Mitigate CVE-2026-23143
Immediate Actions Required
- Update the Linux kernel to a version containing the fix commits
- Review virtualized networking configurations for RSS usage
- Consider temporarily disabling RSS in virtio_net if updates cannot be immediately applied
- Monitor affected systems for signs of memory-related anomalies
Patch Information
The vulnerability has been resolved through kernel patches that introduce the TRAILING_OVERLAP() helper macro. The fix creates a union between the flexible array member and trailing members, ensuring proper memory alignment. The corrected structure places both rss_trailer and rss_hash_key_data at aligned offsets within struct virtnet_info.
Patch commits are available:
Workarounds
- Disable RSS functionality in virtio_net configurations where not critical
- Use alternative network drivers where possible in affected virtual environments
- Apply kernel patches as soon as available from distribution maintainers
- Consider using passthrough networking instead of virtio in high-security environments
# Check current kernel version for virtio_net driver
uname -r
modinfo virtio_net | grep -E "(version|filename)"
# Verify RSS configuration status
ethtool -x eth0 2>/dev/null || echo "RSS not configured"
# Monitor for virtio_net related kernel messages
dmesg | grep -i virtio_net
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
