CVE-2026-23140

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, test_run: Subtract size of xdp_frame from allowed metadata size<br /> <br /> The xdp_frame structure takes up part of the XDP frame headroom,<br /> limiting the size of the metadata. However, in bpf_test_run, we don&amp;#39;t<br /> take this into account, which makes it possible for userspace to supply<br /> a metadata size that is too large (taking up the entire headroom).<br /> <br /> If userspace supplies such a large metadata size in live packet mode,<br /> the xdp_update_frame_from_buff() call in xdp_test_run_init_page() call<br /> will fail, after which packet transmission proceeds with an<br /> uninitialised frame structure, leading to the usual Bad Stuff.<br /> <br /> The commit in the Fixes tag fixed a related bug where the second check<br /> in xdp_update_frame_from_buff() could fail, but did not add any<br /> additional constraints on the metadata size. Complete the fix by adding<br /> an additional check on the metadata size. Reorder the checks slightly to<br /> make the logic clearer and add a comment.