GHSA-372h-fwqg-rp6x

Опубликовано: 14 фев. 2026

Источник: github

Github: Не прошло ревью

CVSS3: 5.5

Описание

In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix misalignment bug in struct virtnet_info

Use the new TRAILING_OVERLAP() helper to fix a misalignment bug along with the following warning:

drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]

This helper creates a union between a flexible-array member (FAM) and a set of members that would otherwise follow it (in this case u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];). This overlays the trailing members (rss_hash_key_data) onto the FAM (hash_key_data) while keeping the FAM and the start of MEMBERS aligned. The static_assert() ensures this alignment remains.

Notice that due to tail padding in flexible struct virtio_net_rss_config_trailer, rss_trailer.hash_key_data (at offset 83 in struct virtnet_info) and rss_hash_key_data (at offset 84 in struct virtnet_info) are misaligned by on...

In the Linux kernel, the following vulnerability has been resolved:

virtio_net: Fix misalignment bug in struct virtnet_info

Use the new TRAILING_OVERLAP() helper to fix a misalignment bug along with the following warning:

drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]

struct virtio_net_rss_config_trailer { __le16 max_tx_vq; /* 0 2 / __u8 hash_key_length; / 2 1 / __u8 hash_key_data[]; / 3 0 */

/* size: 4, cachelines: 1, members: 3 */ /* padding: 1 */ /* last cacheline: 4 bytes */

};

struct virtnet_info { ... struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */

/* XXX last struct has 1 byte of padding */ u8 rss_hash_key_data[40]; /* 84 40 */

... /* size: 832, cachelines: 13, members: 48 / / sum members: 801, holes: 8, sum holes: 31 / / paddings: 2, sum paddings: 5 */ };

After changes, those members are correctly aligned at offset 795:

struct virtnet_info { ... union { struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 / struct { unsigned char __offset_to_hash_key_data[3]; / 792 3 / u8 rss_hash_key_data[40]; / 795 40 / }; / 792 43 / }; / 792 44 / ... / size: 840, cachelines: 14, members: 47 / / sum members: 801, holes: 8, sum holes: 35 / / padding: 4 / / paddings: 1, sum paddings: 4 / / last cacheline: 8 bytes */ };

As a result, the RSS key passed to the device is shifted by 1 byte: the last byte is cut off, and instead a (possibly uninitialized) byte is added at the beginning.

As a last note struct virtio_net_rss_config_hdr *rss_hdr; is also moved to the end, since it seems those three members should stick around together. :)

Ссылки

EPSS

Процентиль: 4%

0.00017

Низкий

5.5 Medium

CVSS3

CVE ID

CVE-2026-23143

Связанные уязвимости

CVE-2026-23143

CVSS3: 5.5

ubuntu

около 1 месяца назад

In the Linux kernel, the following vulnerability has been resolved: virtio_net: Fix misalignment bug in struct virtnet_info Use the new TRAILING_OVERLAP() helper to fix a misalignment bug along with the following warning: drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end] This helper creates a union between a flexible-array member (FAM) and a set of members that would otherwise follow it (in this case `u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This overlays the trailing members (rss_hash_key_data) onto the FAM (hash_key_data) while keeping the FAM and the start of MEMBERS aligned. The static_assert() ensures this alignment remains. Notice that due to tail padding in flexible `struct virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data` (at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at offset 84 in struct virtnet_info) are misaligned by one byt...