Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Linux Kernel: BPF Test Run Can Exceed Allowed Metadata Size
CVE-2026-23140
Summary
This issue affects Linux kernel's BPF (a security feature) test mode. If not fixed, it could cause packets to be sent with uninitialized data, potentially leading to system crashes or data corruption. To fix this, an additional check was added to prevent userspace from specifying an excessively large metadata size.
Original title
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
The xdp_frame structure takes up part of the XDP frame hea...
Original description
In the Linux kernel, the following vulnerability has been resolved:
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).
If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.
The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
bpf, test_run: Subtract size of xdp_frame from allowed metadata size
The xdp_frame structure takes up part of the XDP frame headroom,
limiting the size of the metadata. However, in bpf_test_run, we don't
take this into account, which makes it possible for userspace to supply
a metadata size that is too large (taking up the entire headroom).
If userspace supplies such a large metadata size in live packet mode,
the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call
will fail, after which packet transmission proceeds with an
uninitialised frame structure, leading to the usual Bad Stuff.
The commit in the Fixes tag fixed a related bug where the second check
in xdp_update_frame_from_buff() could fail, but did not add any
additional constraints on the metadata size. Complete the fix by adding
an additional check on the metadata size. Reorder the checks slightly to
make the logic clearer and add a comment.
- https://git.kernel.org/stable/c/31e37f44b60679d90b9f999c91371b15291be8e0
- https://git.kernel.org/stable/c/6447e697cfa8a43a8e491cb81bcc390d0f28f8ba
- https://git.kernel.org/stable/c/7c81ad5e580bd8441f8a521a8d34824ce6582ae5
- https://git.kernel.org/stable/c/e558cca217790286e799a8baacd1610bda31b261
- https://git.kernel.org/stable/c/e7440935063949d6f2c10f7328d960d0ff4bce90
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026