CVE-2026-23386 Overview
CVE-2026-23386 is a memory safety vulnerability in the Linux kernel's Google Virtual Ethernet (GVE) driver that affects the buffer cleanup routine in gve_tx_clean_pending_packets() when operating in DQ-QPL mode. The vulnerability occurs due to incorrect buffer cleanup path selection, where the driver incorrectly uses the RDA (Raw Data Access) buffer cleanup path instead of the appropriate QPL (Queue Page List) cleanup method.
Critical Impact
This vulnerability can cause out-of-bounds array access and memory corruption in the Linux kernel's GVE network driver, potentially leading to system instability, kernel crashes, or denial of service conditions on affected systems.
Affected Products
- Linux kernel with GVE (Google Virtual Ethernet) driver
- Systems running Google Cloud Platform virtual machines with GVE network interfaces
- Linux distributions using affected kernel versions with GVE driver enabled
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23386 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23386
Vulnerability Analysis
The vulnerability resides in the gve_tx_clean_pending_packets() function within the GVE driver (drivers/net/ethernet/google/gve/gve_tx_dqo.c). When operating in DQ-QPL (Descriptor Queue - Queue Page List) mode, the function incorrectly follows the RDA buffer cleanup path, leading to two distinct memory safety issues.
The first issue arises from a union storage conflict. The dma array shares storage with tx_qpl_buf_ids through a C union structure. When the cleanup routine incorrectly interprets buffer IDs as DMA addresses, it attempts to unmap incorrect memory locations, as the data stored in that memory region has different semantics depending on the operational mode.
The second issue involves an out-of-bounds array access. In QPL mode, num_bufs represents a count of 2K chunks, which can significantly exceed the allocated size of the dma array. The UBSAN (Undefined Behavior Sanitizer) detected this condition where index 18 was accessed in an array of type dma_addr_t[18], clearly indicating an off-by-one or greater boundary violation.
Root Cause
The root cause is a missing mode check in the buffer cleanup logic. The gve_tx_clean_pending_packets() function fails to properly distinguish between RDA and QPL operational modes before selecting the appropriate cleanup path. This leads to the RDA cleanup code being executed when QPL-specific cleanup via gve_free_tx_qpl_bufs() should be invoked instead.
The underlying issue stems from the union data structure design where dma and tx_qpl_buf_ids share the same memory location, combined with the differing semantics of num_bufs between modes. The fix requires properly checking for QPL mode and delegating buffer reclamation to the appropriate function.
Attack Vector
This vulnerability is triggered through normal driver operation rather than external network attack. The vulnerable code path is exercised when:
- The GVE driver is operating in DQ-QPL mode
- The driver undergoes a reset operation via gve_reset()
- The gve_service_task workqueue processes the reset
- gve_close() calls gve_tx_stop_ring_dqo() which invokes the vulnerable cleanup routine
The kernel stack trace shows the call path: gve_service_task → gve_reset → gve_close → gve_tx_stop_ring_dqo → vulnerable cleanup code.
While exploitation for privilege escalation would be complex due to the specific conditions required, the vulnerability can cause kernel crashes and system denial of service when triggered during driver reset operations.
Detection Methods for CVE-2026-23386
Indicators of Compromise
- UBSAN kernel warnings with "array-index-out-of-bounds" in gve_tx_dqo.c
- Kernel oops or panic messages originating from the GVE driver during network operations
- Unexpected system reboots on Google Cloud Platform instances using GVE networking
- Workqueue errors related to gve_service_task in kernel logs
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for UBSAN warnings mentioning gve_tx_stop_ring_dqo or gve_tx_dqo.c
- Enable kernel address sanitizers (KASAN, UBSAN) in development/testing environments to detect out-of-bounds access
- Implement automated log monitoring for GVE driver crash signatures and recovery events
- Track unexpected GVE driver reset cycles which may indicate the vulnerability being triggered
Monitoring Recommendations
- Configure syslog forwarding to centralized SIEM for kernel warning detection
- Set up alerting for patterns matching __ubsan_handle_out_of_bounds combined with GVE module references
- Monitor system uptime anomalies on GCE instances that may indicate kernel crashes
- Implement kernel crash dump collection and analysis for post-incident investigation
How to Mitigate CVE-2026-23386
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- If immediate patching is not possible, consider temporarily using alternative networking modes if available
- Review and apply vendor-provided kernel updates from your Linux distribution
- Monitor affected systems for signs of driver instability until patches are applied
Patch Information
The vulnerability has been resolved in multiple Linux kernel stable branches. The fix properly checks for QPL mode and delegates buffer reclamation to gve_free_tx_qpl_bufs() instead of incorrectly using the RDA cleanup path.
Patches are available through the following kernel commits:
- Linux Kernel Commit 07e0c80
- Linux Kernel Commit 3744ebd8
- Linux Kernel Commit 71511dae
- Linux Kernel Commit c171f90
- Linux Kernel Commit fb868db5
Workarounds
- If the GVE driver supports multiple operational modes, switching from DQ-QPL mode to RDA mode may avoid the vulnerable code path
- Disable automatic driver reset operations if operationally feasible (though this may impact network reliability)
- Consider using alternative network drivers or virtio-net on affected virtual machines until patching is complete
- Implement system monitoring to detect and quickly respond to driver-related crashes
# Check current GVE driver version and verify patch status
modinfo gve
# Monitor for UBSAN warnings related to GVE
dmesg | grep -E "(gve|ubsan.*out_of_bounds)"
# Check kernel version against patched releases
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
