net/sched: act_ife: Fix metalist update behavior_CVE-2026-23378

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

net/sched: act_ife: Fix metalist update behavior

Whenever an ife action replace changes the metalist, instead of
replacing the old data on the metalist, the current ife code is appending
the new metadata. Aside from being innapropriate behavior, this may lead
to an unbounded addition of metadata to the metalist which might cause an
out of bounds error when running the encode op:

[ 138.423369][ C1] ==================================================================
[ 138.424317][ C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.424906][ C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255
[ 138.425778][ C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)
[ 138.425795][ C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 138.425800][ C1] Call Trace:
[ 138.425804][ C1] <IRQ>
[ 138.425808][ C1] dump_stack_lvl (lib/dump_stack.c:122)
[ 138.425828][ C1] print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)
[ 138.425839][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425844][ C1] ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))
[ 138.425853][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425859][ C1] kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)
[ 138.425868][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425878][ C1] kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))
[ 138.425884][ C1] __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))
[ 138.425889][ C1] ife_tlv_meta_encode (net/ife/ife.c:168)
[ 138.425893][ C1] ? ife_tlv_meta_encode (net/ife/ife.c:171)
[ 138.425898][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425903][ C1] ife_encode_meta_u16 (net/sched/act_ife.c:57)
[ 138.425910][ C1] ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)
[ 138.425916][ C1] ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))
[ 138.425921][ C1] ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)
[ 138.425927][ C1] ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)
[ 138.425931][ C1] tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)

To solve this issue, fix the replace behavior by adding the metalist to
the ife rcu data structure.

Basic Information

ID CVE-2026-23378

Source Linux

Published Mar 25, 2026 at 10:27

Modified Apr 2, 2026 at 14:44

Affected Product

Vendor Linux

Product Linux

Version aa9fd9a325d51fa0b11153b03b8fefff569fa955

Affected Versions Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955
Linux Linux 4.15

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ife: Fix metalist update behavior\n\nWhenever an ife action replace changes the metalist, instead of\nreplacing the old data on the metalist, the current ife code is appending\nthe new metadata. Aside from being innapropriate behavior, this may lead\nto an unbounded addition of metadata to the metalist which might cause an\nout of bounds error when running the encode op:\n\n[  138.423369][    C1] ==================================================================\n[  138.424317][    C1] BUG: KASAN: slab-out-of-bounds in ife_tlv_meta_encode (net/ife/ife.c:168)\n[  138.424906][    C1] Write of size 4 at addr ffff8880077f4ffe by task ife_out_out_bou/255\n[  138.425778][    C1] CPU: 1 UID: 0 PID: 255 Comm: ife_out_out_bou Not tainted 7.0.0-rc1-00169-gfbdfa8da05b6 #624 PREEMPT(full)\n[  138.425795][    C1] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011\n[  138.425800][    C1] Call Trace:\n[  138.425804][    C1]  <IRQ>\n[  138.425808][    C1]  dump_stack_lvl (lib/dump_stack.c:122)\n[  138.425828][    C1]  print_report (mm/kasan/report.c:379 mm/kasan/report.c:482)\n[  138.425839][    C1]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  138.425844][    C1]  ? __virt_addr_valid (./arch/x86/include/asm/preempt.h:95 (discriminator 1) ./include/linux/rcupdate.h:975 (discriminator 1) ./include/linux/mmzone.h:2207 (discriminator 1) arch/x86/mm/physaddr.c:54 (discriminator 1))\n[  138.425853][    C1]  ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[  138.425859][    C1]  kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:597)\n[  138.425868][    C1]  ? ife_tlv_meta_encode (net/ife/ife.c:168)\n[  138.425878][    C1]  kasan_check_range (mm/kasan/generic.c:186 (discriminator 1) mm/kasan/generic.c:200 (discriminator 1))\n[  138.425884][    C1]  __asan_memset (mm/kasan/shadow.c:84 (discriminator 2))\n[  138.425889][    C1]  ife_tlv_meta_encode (net/ife/ife.c:168)\n[  138.425893][    C1]  ? ife_tlv_meta_encode (net/ife/ife.c:171)\n[  138.425898][    C1]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  138.425903][    C1]  ife_encode_meta_u16 (net/sched/act_ife.c:57)\n[  138.425910][    C1]  ? __pfx_do_raw_spin_lock (kernel/locking/spinlock_debug.c:114)\n[  138.425916][    C1]  ? __asan_memcpy (mm/kasan/shadow.c:105 (discriminator 3))\n[  138.425921][    C1]  ? __pfx_ife_encode_meta_u16 (net/sched/act_ife.c:45)\n[  138.425927][    C1]  ? srso_alias_return_thunk (arch/x86/lib/retpoline.S:221)\n[  138.425931][    C1]  tcf_ife_act (net/sched/act_ife.c:847 net/sched/act_ife.c:879)\n\nTo solve this issue, fix the replace behavior by adding the metalist to\nthe ife rcu data structure.",
    "published": "2026-03-25T10:27:57.986Z",
    "modified": "2026-04-02T14:44:26.414Z",
    "type": "cve",
    "title": "net/sched: act_ife: Fix metalist update behavior",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/56ade7ddea6ce605552341785d08e365c3f61861\nhttps://git.kernel.org/stable/c/5b1449301ca070814d866990b46f48d3f39ea4ee\nhttps://git.kernel.org/stable/c/91a89d3bdc2f63d983adc13d1771631663c5dc1b\nhttps://git.kernel.org/stable/c/cd888c3966672239f2e0707b846a5a936ac9038a\nhttps://git.kernel.org/stable/c/691866c4cca54dc4df762276b49e89b36e046947\nhttps://git.kernel.org/stable/c/e2cedd400c3ec0302ffca2490e8751772906ac23",
    "id": "CVE-2026-23378",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux aa9fd9a325d51fa0b11153b03b8fefff569fa955\nLinux Linux 4.15",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "aa9fd9a325d51fa0b11153b03b8fefff569fa955",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply