CVE-2026-23172 Overview
A buffer overflow vulnerability has been identified in the Linux kernel's t7xx WWAN (Wireless Wide Area Network) driver within the DPMAIF (Data Plane Modem Access Interface) receive path. The vulnerability exists in the t7xx_dpmaif_set_frag_to_skb() function, which adds page fragments to a socket buffer (skb) without proper bounds checking against MAX_SKB_FRAGS. This missing validation can lead to memory corruption in the skb_shinfo(skb)->frags[] array, potentially causing kernel crashes or enabling further exploitation.
Critical Impact
Exploitation of this vulnerability could result in kernel memory corruption, system crashes, denial of service, or potentially arbitrary code execution in kernel context through malicious or compromised modem firmware.
Affected Products
- Linux kernel with t7xx WWAN driver enabled
- Systems using MediaTek T700 5G modem hardware
- Devices with DPMAIF (Data Plane Modem Access Interface) functionality
Discovery Timeline
- February 14, 2026 - CVE-2026-23172 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23172
Vulnerability Analysis
This vulnerability resides in the Linux kernel's t7xx WWAN driver, specifically within the DPMAIF RX (receive) path. The t7xx_dpmaif_set_frag_to_skb() function is responsible for assembling incoming network packets by adding page fragments to socket buffer structures. However, the function lacks a critical bounds check before calling skb_add_rx_frag(), allowing the nr_frags counter to exceed the MAX_SKB_FRAGS limit defined by the kernel.
The vulnerability was identified through static code analysis and bears similarity to a previously fixed vulnerability in the mt76 driver (commit b102f0c522cf). Under normal protocol conditions with an MTU of 3080 bytes and BAT buffer of 3584 bytes, a single packet should not require excessive fragments. However, the kernel cannot blindly trust firmware behavior, as malicious, buggy, or compromised modem firmware could craft packets with more fragments than expected.
Root Cause
The root cause is the absence of bounds validation in the t7xx_dpmaif_set_frag_to_skb() function. When processing incoming data, the function adds page fragments to the skb structure without verifying that the number of fragments (nr_frags) remains within the MAX_SKB_FRAGS limit. This allows an attacker with control over modem firmware to send packets containing excessive fragments, overflowing the skb_shinfo(skb)->frags[] array and corrupting adjacent kernel memory structures.
Attack Vector
The attack vector requires the ability to send malformed packets through the modem interface. While this typically necessitates compromised or malicious modem firmware, the vulnerability represents a kernel trust boundary violation where untrusted firmware input can directly corrupt kernel memory structures.
An attacker with control over the modem firmware could craft network packets containing more fragments than the kernel's MAX_SKB_FRAGS limit allows. When these packets are processed through the DPMAIF RX path, the overflow occurs in kernel memory, potentially leading to denial of service through kernel panic or more sophisticated attacks targeting specific memory layouts.
The fix adds a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. Importantly, this check must occur before unmapping to prevent page leaks and double DMA unmap conditions during device teardown.
Detection Methods for CVE-2026-23172
Indicators of Compromise
- Unexpected kernel panics or crashes related to the t7xx WWAN driver or DPMAIF subsystem
- Kernel oops messages referencing t7xx_dpmaif_set_frag_to_skb or skb_add_rx_frag functions
- Memory corruption symptoms in systems with active 5G modem connectivity
Detection Strategies
- Monitor kernel logs for oops, BUG, or panic messages mentioning the t7xx driver or net/wwan/t7xx module
- Implement kernel memory corruption detection mechanisms such as KASAN (Kernel Address Sanitizer) if available
- Review system crash dumps for stack traces involving DPMAIF receive path functions
Monitoring Recommendations
- Enable kernel logging and forward to centralized SIEM for crash pattern detection
- Utilize SentinelOne Singularity Platform for endpoint monitoring to detect kernel-level anomalies
- Implement watchdog timers and automatic crash reporting for systems with t7xx WWAN hardware
How to Mitigate CVE-2026-23172
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches immediately
- If patching is not immediately possible, consider disabling the t7xx WWAN driver if not required for operations
- Monitor affected systems for signs of exploitation or unusual kernel behavior
Patch Information
The vulnerability has been addressed through multiple commits to the Linux kernel stable branches. The fix adds bounds checking before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS. Organizations should update to patched kernel versions from the following commits:
- Kernel Git Commit: 2a0522f5
- Kernel Git Commit: 2c0fb0f6
- Kernel Git Commit: af4b8577
- Kernel Git Commit: f0813bcd
- Kernel Git Commit: f9747a75
Workarounds
- Disable or blacklist the t7xx WWAN driver module if 5G modem functionality is not required
- Restrict physical access to systems with vulnerable hardware configurations
- Implement network segmentation to limit exposure of affected systems
# Configuration example
# Blacklist the t7xx driver to prevent loading
echo "blacklist mtk_t7xx" | sudo tee /etc/modprobe.d/blacklist-t7xx.conf
# Unload the driver if currently loaded
sudo modprobe -r mtk_t7xx
# Verify the module is not loaded
lsmod | grep t7xx
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
