CVE-2026-23172 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
net: wwan: t7xx: fix potential skb->frags overflow in RX path
When receiving data in the DPMAIF RX path, the t7xx_dpmaif_set_frag_to_skb() function adds page fragments to an skb without checking if the number of fragments has exceeded MAX_SKB_FRAGS. This could lead to a buffer overflow in skb_shinfo(skb)->frags[] array, corrupting adjacent memory and
potentially causing kernel crashes or other undefined behavior.
This issue was identified through static code analysis by comparing with a similar vulnerability fixed in the mt76 driver commit b102f0c522cf ("mt76: fix array overflow on receiving too many fragments for a packet").
The vulnerability could be triggered if the modem firmware sends packets with excessive fragments. While under normal protocol conditions (MTU 3080 bytes, BAT buffer 3584 bytes), a single packet should not require additional fragments, the kernel should not blindly trust firmware behavior. Malicious, buggy, or compromised firmware could potentially craft packets with more fragments than the kernel expects.
Fix this by adding a bounds check before calling skb_add_rx_frag() to ensure nr_frags does not exceed MAX_SKB_FRAGS.
The check must be performed before unmapping to avoid a page leak and double DMA unmap during device teardown.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/05/2026
The vulnerability described in CVE-2026-23172 resides within the Linux kernel's WWAN subsystem, specifically in the t7xx driver implementation that manages communication with certain cellular modems. This issue represents a classic buffer overflow scenario occurring in the data plane processing path where received packets are handled through the DPMAIF (Data Plane Media Access Interface) mechanism. The flaw manifests when the kernel processes incoming network traffic and attempts to construct socket buffer (skb) objects containing page fragments without proper bounds validation.
The technical implementation of this vulnerability stems from the t7xx_dpmaif_set_frag_to_skb() function which directly invokes skb_add_rx_frag() without verifying whether the current fragment count would exceed the maximum allowed fragments per socket buffer. The Linux kernel maintains a constant MAX_SKB_FRAGS that defines the upper limit of fragments that can be attached to any single socket buffer, typically set to 16 fragments on most architectures. When this limit is exceeded, the kernel's internal fragmentation array skb_shinfo(skb)->frags[] becomes corrupted, leading to memory overwrite conditions that can compromise kernel stability and potentially enable privilege escalation attacks.
This vulnerability presents significant operational risks within embedded systems and mobile devices that rely on WWAN connectivity, particularly those using t7xx-based modems manufactured by Spreadtrum or similar chipset vendors. The attack vector requires malicious or compromised modem firmware to send packets containing an excessive number of fragments, which would normally be impossible under standard network protocol constraints. However, the kernel's failure to validate fragment counts before processing creates an exploitable condition where an attacker could craft specially malformed packets to trigger the overflow. The security implications extend beyond simple denial of service since memory corruption could potentially be leveraged to execute arbitrary code within kernel space, representing a critical compromise of system integrity.
The fix implemented addresses the core issue by introducing a bounds check prior to calling skb_add_rx_frag() that prevents the number of fragments from exceeding MAX_SKB_FRAGS. This defensive programming approach aligns with established security practices and follows the same solution pattern used to resolve a similar vulnerability in the mt76 driver, as referenced in commit b102f0c522cf. The timing of this check is crucial as it must occur before DMA unmapping operations to prevent resource leaks and double unmapping conditions that could occur during device teardown. This solution directly addresses CWE-129, which covers improper validation of array indices, and aligns with ATT&CK technique T1068 by potentially enabling privilege escalation through kernel memory corruption. The mitigation ensures that even if malicious firmware attempts to send packets with excessive fragments, the kernel will gracefully handle the condition rather than allowing memory corruption to occur, thereby maintaining system stability and preventing potential exploitation for unauthorized access or system compromise.