HOMEVULNERABILITIESCVE-2026-23276
NONE

CVE-2026-23276

Published: March 20, 2026· Updated: Mar 25, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:5.9th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: add xmit recursion limit to tunnel xmit functions

Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own

recursion limit. When a bond device in broadcast mode has GRE tap

interfaces as slaves, and those GRE tunnels route back through the

bond, multicast/broadcast traffic triggers infinite recursion between

bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing

kernel stack overflow.

The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not

sufficient because tunnel recursion involves route lookups and full IP

output, consuming much more stack per level. Use a lower limit of 4

(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.

Add recursion detection using dev_xmit_recursion helpers directly in

iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel

paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).

Move dev_xmit_recursion helpers from net/core/dev.h to public header

include/linux/netdevice.h so they can be used by tunnel code.

BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160

Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11

Workqueue: mld mld_ifc_work

Call Trace:

<TASK>

__build_flow_key.constprop.0 (net/ipv4/route.c:515)

ip_rt_update_pmtu (net/ipv4/route.c:1073)

iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)

ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)

gre_tap_xmit (net/ipv4/ip_gre.c:779)

dev_hard_start_xmit (net/core/dev.c:3887)

sch_direct_xmit (net/sched/sch_generic.c:347)

__dev_queue_xmit (net/core/dev.c:4802)

bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)

bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)

bond_start_xmit (drivers/net/bonding/bond_main.c:5530)

dev_hard_start_xmit (net/core/dev.c:3887)

__dev_queue_xmit (net/core/dev.c:4841)

ip_finish_output2 (net/ipv4/ip_output.c:237)

ip_output (net/ipv4/ip_output.c:438)

iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)

gre_tap_xmit (net/ipv4/ip_gre.c:779)

dev_hard_start_xmit (net/core/dev.c:3887)

sch_direct_xmit (net/sched/sch_generic.c:347)

__dev_queue_xmit (net/core/dev.c:4802)

bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)

bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)

bond_start_xmit (drivers/net/bonding/bond_main.c:5530)

dev_hard_start_xmit (net/core/dev.c:3887)

__dev_queue_xmit (net/core/dev.c:4841)

ip_finish_output2 (net/ipv4/ip_output.c:237)

ip_output (net/ipv4/ip_output.c:438)

iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)

ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)

gre_tap_xmit (net/ipv4/ip_gre.c:779)

dev_hard_start_xmit (net/core/dev.c:3887)

sch_direct_xmit (net/sched/sch_generic.c:347)

__dev_queue_xmit (net/core/dev.c:4802)

bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)

bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)

bond_start_xmit (drivers/net/bonding/bond_main.c:5530)

dev_hard_start_xmit (net/core/dev.c:3887)

__dev_queue_xmit (net/core/dev.c:4841)

mld_sendpack

mld_ifc_work

process_one_work

worker_thread

</TASK>

NVD Source

Technical Analysis

CVE-2026-23276 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (4)

Quick Facts

CVE IDCVE-2026-23276
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedMar 20, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-23276 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.