CVE-2026-23262 | gve: Fix stats report corruption on queue count change

In the Linux kernel, the following vulnerability has been resolved: gve: Fix stats report corruption on queue count change The driver and the NIC share a region in memory for stats reporting. The NIC calculates its offset into this region based on the total size of the stats region and the size of the NIC's stats. When the number of queues is changed, the driver's stats region is resized. If the queue count is increased, the NIC can write past the end of the allocated stats region, causing memory corruption. If the queue count is decreased, there is a gap between the driver and NIC stats, leading to incorrect stats reporting. This change fixes the issue by allocating stats region with maximum size, and the offset calculation for NIC stats is changed to match with the calculation of the NIC.

Published: 2026-03-18 Last update: 2026-03-19 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Undergoing Analysis，CVE State: published

View at NVD, CVE.org, EUVD

Conclusion & alert: CVE-2026-23262 is rated Low Risk (6.3/100): low exploitation likelihood (EPSS 0.02%). Mandatory action: Low composite risk—no urgent action required; patch on your normal maintenance cycle and revisit priority if CVSS or EPSS increases.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-23262

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-03-19	—	0.02%	—

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-23262

CVSS metrics for this CVE.

No CVSS data in dataset for this CVE.

Weakness enumeration for CVE-2026-23262

OS Trackers for CVE-2026-23262

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2026-23262 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-23262
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2026-23262
`suse`	medium	CVE-2026-23262 severity moderate: SUSE including 32 source package names (2.1.3-6.144:kernel-default-base-6.4.0-41.1.21.18, 2.1.3-7.127:kernel-default-6.4.0-41.1, …), 63 product×package rows across 13 product lines (Container suse/sl-micro/6.0/base-os-container, Container suse/sl-micro/6.0/kvm-os-container, … (13 product lines)): First Fixed 23, Fixed 20, Known Not Affected 20.	https://www.suse.com/security/cve/CVE-2026-23262/
`ubuntu`	medium	CVE-2026-23262 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1256 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): DNE 871, ignored 169, needed 85, released 83, not-affected 43, pending 5.	https://ubuntu.com/security/CVE-2026-23262

Affected software / configurations for CVE-2026-23262

Vendor	Product	Version	Raw CPE
No affected products in dataset.

References for CVE-2026-23262

URL	Tags
https://git.kernel.org/stable/c/11f8311f69e4c361717371b4901ff92daeb76e9c
https://git.kernel.org/stable/c/7b9ebcce0296e104a0d82a6b09d68564806158ff
https://git.kernel.org/stable/c/837c662f47dac43efa1aef2dd433c6b4b4c073af
https://git.kernel.org/stable/c/9d93332397405b62a3300b22d04ac65d990b91ff
https://git.kernel.org/stable/c/9fa0a755db3e1945fe00f73fe27d85ef6c8818b7
https://git.kernel.org/stable/c/df54838ab61826ecc1a562ffa5e280c3ab7289a7
https://git.kernel.org/stable/c/f432f7613c220db32c2c6942420daf7b3f2e7d7e

cvelogic Threat Intelligence