CVE-2026-23359

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix stack-out-of-bounds write in devmap

get upper ifindexes() iterates over all upper devices and writes their indices into an array without checking bounds.

Also the callers assume that the max number of upper devices is MAX NEST DEV and allocate excluded devices[1+MAX NEST DEV] on the stack, but that assumption is not correct and the number of upper devices could be larger than MAX NEST DEV (e.g., many macvlans), causing a stack-out-of-bounds write.

Add a max parameter to get upper ifindexes() to avoid the issue. When there are too many upper devices, return -EOVERFLOW and abort the redirect.

To reproduce, create more than MAX NEST DEV(8) macvlans on a device with an XDP program attached using BPF F BROADCAST | BPF F EXCLUDE INGRESS. Then send a packet to the device to trigger the XDP redirect path.