CVE-2026-23172

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: wwan: t7xx: fix potential skb-&gt;frags overflow in RX path<br /> <br /> When receiving data in the DPMAIF RX path,<br /> the t7xx_dpmaif_set_frag_to_skb() function adds<br /> page fragments to an skb without checking if the number of<br /> fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow<br /> in skb_shinfo(skb)-&gt;frags[] array, corrupting adjacent memory and<br /> potentially causing kernel crashes or other undefined behavior.<br /> <br /> This issue was identified through static code analysis by comparing with a<br /> similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:<br /> fix array overflow on receiving too many fragments for a packet").<br /> <br /> The vulnerability could be triggered if the modem firmware sends packets<br /> with excessive fragments. While under normal protocol conditions (MTU 3080<br /> bytes, BAT buffer 3584 bytes),<br /> a single packet should not require additional<br /> fragments, the kernel should not blindly trust firmware behavior.<br /> Malicious, buggy, or compromised firmware could potentially craft packets<br /> with more fragments than the kernel expects.<br /> <br /> Fix this by adding a bounds check before calling skb_add_rx_frag() to<br /> ensure nr_frags does not exceed MAX_SKB_FRAGS.<br /> <br /> The check must be performed before unmapping to avoid a page leak<br /> and double DMA unmap during device teardown.