{"id":"CVE-2026-23276","summary":"net: add xmit recursion limit to tunnel xmit functions","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: add xmit recursion limit to tunnel xmit functions\n\nTunnel xmit functions (iptunnel_xmit, ip6tunnel_xmit) lack their own\nrecursion limit. When a bond device in broadcast mode has GRE tap\ninterfaces as slaves, and those GRE tunnels route back through the\nbond, multicast/broadcast traffic triggers infinite recursion between\nbond_xmit_broadcast() and ip_tunnel_xmit()/ip6_tnl_xmit(), causing\nkernel stack overflow.\n\nThe existing XMIT_RECURSION_LIMIT (8) in the no-qdisc path is not\nsufficient because tunnel recursion involves route lookups and full IP\noutput, consuming much more stack per level. Use a lower limit of 4\n(IP_TUNNEL_RECURSION_LIMIT) to prevent overflow.\n\nAdd recursion detection using dev_xmit_recursion helpers directly in\niptunnel_xmit() and ip6tunnel_xmit() to cover all IPv4/IPv6 tunnel\npaths including UDP encapsulated tunnels (VXLAN, Geneve, etc.).\n\nMove dev_xmit_recursion helpers from net/core/dev.h to public header\ninclude/linux/netdevice.h so they can be used by tunnel code.\n\n BUG: KASAN: stack-out-of-bounds in blake2s.constprop.0+0xe7/0x160\n Write of size 32 at addr ffff88810033fed0 by task kworker/0:1/11\n Workqueue: mld mld_ifc_work\n Call Trace:\n  \u003cTASK\u003e\n  __build_flow_key.constprop.0 (net/ipv4/route.c:515)\n  ip_rt_update_pmtu (net/ipv4/route.c:1073)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:84)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  ip_finish_output2 (net/ipv4/ip_output.c:237)\n  ip_output (net/ipv4/ip_output.c:438)\n  iptunnel_xmit (net/ipv4/ip_tunnel_core.c:86)\n  ip_tunnel_xmit (net/ipv4/ip_tunnel.c:847)\n  gre_tap_xmit (net/ipv4/ip_gre.c:779)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  sch_direct_xmit (net/sched/sch_generic.c:347)\n  __dev_queue_xmit (net/core/dev.c:4802)\n  bond_dev_queue_xmit (drivers/net/bonding/bond_main.c:312)\n  bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5279)\n  bond_start_xmit (drivers/net/bonding/bond_main.c:5530)\n  dev_hard_start_xmit (net/core/dev.c:3887)\n  __dev_queue_xmit (net/core/dev.c:4841)\n  mld_sendpack\n  mld_ifc_work\n  process_one_work\n  worker_thread\n  \u003c/TASK\u003e","modified":"2026-04-14T03:48:12.355015Z","published":"2026-03-20T08:08:56.575Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23276.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6f1a9140ecda3baba3d945b9a6155af4268aafc4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/834c4f645726a25fd71ea50cdfb5c135f8f95d85"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8a57deeb256069f262957d8012418559ff66c385"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b56b8d19bd05e2a8338385c770bc2b60590bc81e"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23276.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23276"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"745e20f1b626b1be4b100af5d4bf7b3439392f8f"},{"fixed":"834c4f645726a25fd71ea50cdfb5c135f8f95d85"},{"fixed":"8a57deeb256069f262957d8012418559ff66c385"},{"fixed":"b56b8d19bd05e2a8338385c770bc2b60590bc81e"},{"fixed":"6f1a9140ecda3baba3d945b9a6155af4268aafc4"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"3f266b04185de51d8e6446eb1fccec3b5e7ce575"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23276.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.37"},{"fixed":"6.12.78"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.19"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.9"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23276.json"}}],"schema_version":"1.7.5"}