CVE-2026-23468

Userspace can pass an arbitrary number of BO list entries via the bo_number field. Although the previous multiplication overflow check prevents out-of-bounds allocation, a large number of entries could still cause excessive memory allocation (up to potentially gigabytes) and unnecessarily long list processing times.

Introduce a hard limit of 128k entries per BO list, which is more than sufficient for any realistic use case (e.g., a single list containing all buffers in a large scene). This prevents memory exhaustion attacks and ensures predictable performance.

Return -EINVAL if the requested entry count exceeds the limit

(cherry picked from commit 688b87d39e0aa8135105b40dc167d74b5ada5332)

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23468.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d38ceaf99ed015f2a0b9af3499791bd3a3daae21

Fixed

c833d6c7199c5b5fca9ec95593acd539ec9c171c

Fixed

e620378aab78d415bd8a15a2f91c145906520288

Fixed

2723e6851309531ce61aed74e93a0cd268cc862a

Fixed

5ce4a38e6c2488949e373d5066303f9c128db614

Fixed

f462624a6e4b5f1ec2664c2c53e408b2f4fb53e9

Fixed

6270b1a5dab94665d7adce3dc78bc9066ed28bdd

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23468.json"

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Fixed

6.1.175

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.6.140

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.12.86

Type: ECOSYSTEM
Events: Introduced

6.13.0

Fixed

6.18.20

Type: ECOSYSTEM
Events: Introduced

6.19.0

Fixed

6.19.10

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23468.json"