CVE-2026-23143

{"id": "CVE-2026-23143", "cveTags": [], "metrics": {}, "published": "2026-02-14T16:15:54.383", "references": [{"url": "https://git.kernel.org/stable/c/4156c3745f06bc197094b9ee97a9584e69ed00bf", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ae48108c2310f1dd700e0dbb655c2f1d92ed00fc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_net: Fix misalignment bug in struct virtnet_info\n\nUse the new TRAILING_OVERLAP() helper to fix a misalignment bug\nalong with the following warning:\n\ndrivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]\n\nThis helper creates a union between a flexible-array member (FAM)\nand a set of members that would otherwise follow it (in this case\n`u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This\noverlays the trailing members (rss_hash_key_data) onto the FAM\n(hash_key_data) while keeping the FAM and the start of MEMBERS aligned.\nThe static_assert() ensures this alignment remains.\n\nNotice that due to tail padding in flexible `struct\nvirtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`\n(at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at\noffset 84 in struct virtnet_info) are misaligned by one byte. See\nbelow:\n\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n\nAfter changes, those members are correctly aligned at offset 795:\n\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n\nAs a result, the RSS key passed to the device is shifted by 1\nbyte: the last byte is cut off, and instead a (possibly\nuninitialized) byte is added at the beginning.\n\nAs a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also\nmoved to the end, since it seems those three members should stick\naround together. :)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nvirtio_net: Corrige un error de desalineaci\u00f3n en la estructura virtnet_info\n\nUsa el nuevo ayudante TRAILING_OVERLAP() para corregir un error de desalineaci\u00f3n junto con la siguiente advertencia:\n\ndrivers/net/virtio_net.c:429:46: advertencia: la estructura que contiene un miembro de array flexible no est\u00e1 al final de otra estructura [-Wflex-array-member-not-at-end]\n\nEste ayudante crea una uni\u00f3n entre un miembro de array flexible (FAM) y un conjunto de miembros que de otro modo lo seguir\u00edan (en este caso 'u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];'). Esto superpone los miembros finales (rss_hash_key_data) sobre el FAM (hash_key_data) mientras mantiene el FAM y el inicio de los MIEMBROS alineados. El static_assert() asegura que esta alineaci\u00f3n se mantenga.\n\nN\u00f3tese que debido al relleno de cola en la estructura flexible 'struct virtio_net_rss_config_trailer', 'rss_trailer.hash_key_data' (en el desplazamiento 83 en la estructura virtnet_info) y 'rss_hash_key_data' (en el desplazamiento 84 en la estructura virtnet_info) est\u00e1n desalineados por un byte. Ver a continuaci\u00f3n:\n\n```\nstruct virtio_net_rss_config_trailer {\n __le16 max_tx_vq; /* 0 2 */\n __u8 hash_key_length; /* 2 1 */\n __u8 hash_key_data[]; /* 3 0 */\n\n /* size: 4, cachelines: 1, members: 3 */\n /* padding: 1 */\n /* last cacheline: 4 bytes */\n};\n```\n\n```\nstruct virtnet_info {\n...\n struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */\n\n /* XXX last struct has 1 byte of padding */\n\n u8 rss_hash_key_data[40]; /* 84 40 */\n...\n /* size: 832, cachelines: 13, members: 48 */\n /* sum members: 801, holes: 8, sum holes: 31 */\n /* paddings: 2, sum paddings: 5 */\n};\n```\n\nDespu\u00e9s de los cambios, esos miembros est\u00e1n correctamente alineados en el desplazamiento 795:\n\n```\nstruct virtnet_info {\n...\n union {\n struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */\n struct {\n unsigned char __offset_to_hash_key_data[3]; /* 792 3 */\n u8 rss_hash_key_data[40]; /* 795 40 */\n }; /* 792 43 */\n }; /* 792 44 */\n...\n /* size: 840, cachelines: 14, members: 47 */\n /* sum members: 801, holes: 8, sum holes: 35 */\n /* padding: 4 */\n /* paddings: 1, sum paddings: 4 */\n /* last cacheline: 8 bytes */\n};\n```\n\nComo resultado, la clave RSS pasada al dispositivo se desplaza 1 byte: el \u00faltimo byte se corta y, en su lugar, se a\u00f1ade un byte (posiblemente no inicializado) al principio.\n\nComo \u00faltima nota, 'struct virtio_net_rss_config_hdr *rss_hdr;' tambi\u00e9n se mueve al final, ya que parece que esos tres miembros deber\u00edan permanecer juntos. :)"}], "lastModified": "2026-02-18T17:52:44.520", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}