CVE-2026-23390 Overview
A buffer overflow vulnerability exists in the Linux kernel's DMA tracing subsystem. The dma_map_sg tracepoint can trigger a perf buffer overflow when tracing large scatter-gather lists. When devices such as virtio-gpu create large DRM buffers, the number of entries (nents) can exceed 1000, resulting in memory allocations that exceed the PERF_MAX_TRACE_SIZE limit of 8192 bytes.
The vulnerability occurs because dynamic array allocations for physical addresses, DMA addresses, and lengths are not properly capped, allowing a combined allocation of approximately 20,000 bytes when processing large scatter-gather operations.
Critical Impact
Uncapped array allocations in the DMA tracing subsystem can cause kernel warnings and potential system instability when tracing operations with large scatter-gather lists exceed the perf buffer size limit.
Affected Products
- Linux Kernel (tracing/dma subsystem)
- Systems using virtio-gpu with large DRM buffers
- Systems with DMA tracing enabled via perf
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23390 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23390
Vulnerability Analysis
The vulnerability resides in the Linux kernel's DMA tracing infrastructure, specifically within the dma_map_sg tracepoint implementation. When tracing scatter-gather DMA operations, the kernel allocates dynamic arrays to record physical addresses, DMA addresses, and segment lengths for each entry in the scatter-gather list.
The core issue is the absence of bounds checking on these array allocations. With devices like virtio-gpu creating large DRM buffers, the number of scatter-gather entries can exceed 1000, leading to:
- phys_addrs: 1000 × 8 bytes = 8,000 bytes
- dma_addrs: 1000 × 8 bytes = 8,000 bytes
- lengths: 1000 × 4 bytes = 4,000 bytes
- Total: ~20,000 bytes
This total exceeds PERF_MAX_TRACE_SIZE (8192 bytes), triggering a kernel warning in kernel/trace/trace_event_perf.c at line 405.
Root Cause
The root cause is the lack of array size capping in the DMA tracing tracepoint implementation. The dynamic arrays used to store scatter-gather entry information grow proportionally with the number of entries without any upper bound validation. This design oversight allows legitimate large DMA operations to exceed kernel buffer limits, causing overflow conditions.
The fix introduces a DMA_TRACE_MAX_ENTRIES constant of 128 entries and uses min(nents, DMA_TRACE_MAX_ENTRIES) for dynamic array sizing. This ensures arrays are only as large as needed up to the cap, avoiding unnecessary memory allocation for small operations while preventing overflow for large ones. A truncated flag is also added so users can identify when data has been capped.
Attack Vector
This vulnerability is primarily a reliability and stability issue rather than a direct security exploitation vector. The attack scenario involves:
- An attacker or application triggers DMA operations with large scatter-gather lists (>128 entries)
- When DMA tracing is enabled via perf, the kernel attempts to allocate oversized trace buffers
- The allocation exceeds PERF_MAX_TRACE_SIZE, causing kernel warnings and potential trace data loss
- In worst-case scenarios, this could lead to system instability or denial of service conditions
The vulnerability requires DMA tracing to be enabled and the system to be performing large scatter-gather DMA operations, limiting its practical exploitability.
Detection Methods for CVE-2026-23390
Indicators of Compromise
- Kernel warning messages containing "perf buffer not large enough" in system logs
- Warnings at kernel/trace/trace_event_perf.c:405 indicating buffer overflow conditions
- Trace data loss when monitoring DMA operations with large scatter-gather lists
Detection Strategies
- Monitor kernel logs (dmesg) for warnings related to perf buffer size limitations
- Check for repeated warnings involving trace_event_perf.c during DMA-intensive workloads
- Review system stability issues correlated with virtio-gpu or other devices performing large DMA operations
- Audit perf trace configurations to identify when dma_map_sg tracepoints are enabled
Monitoring Recommendations
- Implement alerting for kernel warning messages related to trace buffer overflows
- Monitor system stability metrics during DMA-intensive workloads
- Track kernel log entries for messages containing "wanted" and "have" byte comparisons indicating buffer mismatches
- Review perf tracing configurations to ensure appropriate buffer sizing
How to Mitigate CVE-2026-23390
Immediate Actions Required
- Apply the latest kernel patches containing the DMA tracing buffer overflow fix
- Consider disabling DMA tracing via perf if not actively required for debugging
- Monitor systems running virtio-gpu or other devices with large scatter-gather operations for stability issues
- Review and apply kernel updates from the stable branch
Patch Information
The vulnerability has been addressed through kernel patches that cap dynamic array sizes at 128 entries using min(nents, DMA_TRACE_MAX_ENTRIES). The patches are available through the following commits:
The fix ensures arrays are dynamically sized up to the cap, avoiding waste for small operations while preventing overflow for large ones. The tracepoint now records full nents/ents counts and a truncated flag so users can see when data has been capped.
Workarounds
- Disable DMA tracing via perf if it is not required for active debugging or monitoring
- Limit scatter-gather list sizes in applications where possible
- Use alternative tracing mechanisms that do not have buffer size limitations
- Monitor for kernel updates and apply patches as soon as they become available for your distribution
# Disable DMA tracing temporarily
echo 0 > /sys/kernel/debug/tracing/events/dma/dma_map_sg/enable
# Verify tracing status
cat /sys/kernel/debug/tracing/events/dma/dma_map_sg/enable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
