Message-ID: <2026021421-CVE-2026-23172-acf0@gregkh>
Date: Sat, 14 Feb 2026 17:04:38 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2026-23172: net: wwan: t7xx: fix potential skb->frags overflow in RX path

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

net: wwan: t7xx: fix potential skb->frags overflow in RX path

When receiving data in the DPMAIF RX path,
the t7xx_dpmaif_set_frag_to_skb() function adds
page fragments to an skb without checking if the number of
fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow
in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.

This issue was identified through static code analysis by comparing with a
similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76:
fix array overflow on receiving too many fragments for a packet").

The vulnerability could be triggered if the modem firmware sends packets
with excessive fragments. While under normal protocol conditions (MTU 3080
bytes, BAT buffer 3584 bytes),
a single packet should not require additional
fragments, the kernel should not blindly trust firmware behavior.
Malicious, buggy, or compromised firmware could potentially craft packets
with more fragments than the kernel expects.

Fix this by adding a bounds check before calling skb_add_rx_frag() to
ensure nr_frags does not exceed MAX_SKB_FRAGS.

The check must be performed before unmapping to avoid a page leak
and double DMA unmap during device teardown.

The Linux kernel CVE team has assigned CVE-2026-23172 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.19 with commit d642b012df70a76dd5723f2d426b40bffe83ac49 and fixed in 6.1.162 with commit f9747a7521a48afded5bff2faf1f2dcfff48c577
	Issue introduced in 5.19 with commit d642b012df70a76dd5723f2d426b40bffe83ac49 and fixed in 6.6.123 with commit 2a0522f564acd34442652ea083091c329fa7c5d5
	Issue introduced in 5.19 with commit d642b012df70a76dd5723f2d426b40bffe83ac49 and fixed in 6.12.69 with commit af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276
	Issue introduced in 5.19 with commit d642b012df70a76dd5723f2d426b40bffe83ac49 and fixed in 6.18.9 with commit 2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba
	Issue introduced in 5.19 with commit d642b012df70a76dd5723f2d426b40bffe83ac49 and fixed in 6.19 with commit f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2026-23172
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/wwan/t7xx/t7xx_hif_dpmaif_rx.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/f9747a7521a48afded5bff2faf1f2dcfff48c577
	https://git.kernel.org/stable/c/2a0522f564acd34442652ea083091c329fa7c5d5
	https://git.kernel.org/stable/c/af4b8577d0b388cc3d0039eb0cdd9ca5bbbc9276
	https://git.kernel.org/stable/c/2c0fb0f60bc1545c52da61bc6bd4855c1e7814ba
	https://git.kernel.org/stable/c/f0813bcd2d9d97fdbdf2efb9532ab03ae92e99e6

Powered by blists - more mailing lists