CVE-2026-23276

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: add xmit recursion limit to tunnel xmit functions<br /> <br /> Tunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own<br /> recursion limit. When a bond device in broadcast mode has GRE tap<br /> interfaces as slaves, and those GRE tunnels route back through the<br /> bond, multicast/broadcast traffic triggers infinite recursion between<br /> bond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing<br /> kernel stack overflow.<br /> <br /> The existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not<br /> sufficient because tunnel recursion involves route lookups and full IP<br /> output, consuming much more stack per level. Use a lower limit of 4<br /> (IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.<br /> <br /> Add recursion detection using dev_xmit_recursion helpers directly in<br /> iptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel<br /> paths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).<br /> <br /> Move dev_xmit_recursion helpers from net/core/dev.h to public header<br /> include/linux/netdevice.h so they can be used by tunnel code.<br /> <br /> BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160<br /> Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11<br /> Workqueue: mld mld_ifc_work<br /> Call Trace:<br /> <br /> __build_flow_key.constprop.0 (net/ipv4/route.c:515)<br /> ip_rt_update_pmtu (net/ipv4/route.c:1073)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)<br /> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> ip_finish_output2 (net/ipv4/ip_output.c:237)<br /> ip_output (net/ipv4/ip_output.c:438)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> ip_finish_output2 (net/ipv4/ip_output.c:237)<br /> ip_output (net/ipv4/ip_output.c:438)<br /> iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)<br /> ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)<br /> gre_tap_xmit (net/ipv4/ip_gre.c:779)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> sch_direct_xmit (net/sched/sch_generic.c:347)<br /> __dev_queue_xmit (net/core/dev.c:4802)<br /> bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)<br /> bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)<br /> bond_start_xmit (drivers/net/bonding/bond_main.c:5530)<br /> dev_hard_start_xmit (net/core/dev.c:3887)<br /> __dev_queue_xmit (net/core/dev.c:4841)<br /> mld_sendpack<br /> mld_ifc_work<br /> process_one_work<br /> worker_thread<br />