CVE-2026-23390: Linux dma_map_sg Tracepoint Fixed With 128-Entry Cap

CVE-2026-23390 is a textbook example of how a small tracing feature can become a security concern when real-world workloads push it beyond the assumptions baked into the code. The Linux kernel’s dma_map_sg tracepoint could allocate dynamic arrays large enough to overflow the fixed PERF_MAX_TRACE_SIZE limit when tracing very large scatter-gather lists, especially on systems handling heavyweight graphics paths such as virtio-gpu. The upstream fix caps the dynamic arrays at 128 entries and adds a truncation indicator so users can see when trace data has been shortened, preserving observability without letting the perf buffer run past its bounds. That combination—bounded allocation, explicit truncation, and preservation of the original counts—makes this a neat kernel hardening patch rather than a broad redesign. The CVE record itself was published through Microsoft’s update guidance and linked back to the kernel.org fix series on March 25, 2026, underscoring how quickly a Linux kernel bug can move from source tree to enterprise vulnerability workflows. Linux kernel tracing subsystem is designed to make low-level behavior visible without materially changing it. That mission sounds straightforward, but it is surprisingly easy to undermine when trace events need to serialize variable-length data structures into fixed-size perf buffers. The problem behind CVE-2026-23390 sits right at that seam: dma_map_sg produces trace data that scales with the number of scatter-gather entries, and the kernel has to decide how much of that data to copy into a trace event while staying within buffer constraints. The Linux tracepoint infrastructure is powerful precisely because it can capture internal state at high speed, but the same flexibility means event payload design matters just as much as the instrumentation itself.
Scatter-gather lists are a standard part of the Linux DMA API. They let drivers describe physically noncontiguous memory to hardware, and the DMA subsystem may merge adjacent regions or split them based on IOMMU behavior and hardware constraints. In ordinary cases, that is efficient and largely invisible. But the same mechanism can generate very large entry counts when buffers are fragmented or when a device, such as a GPU, is dealing with large imported or exported objects. The kernel documentation explains that dma_map_sg() returns the number of DMA address segments mapped, which may be shorter than the original nents because of merging, but the input list can still be quite large.
That is why the CVE description explicitly calls out virtio-gpu and large DRM buffers. A graphics stack that builds or manipulates sizable images can easily produce scatter-gather lists with more than a thousand entries, and the tracepoint then tries to represent several arrays at once: physical addresses, DMA addresses, and lengths. The result is not just a lot of data; it is enough data to exceed the perf trace event budget by a wide margin. The kernel report cited in the CVE description says the resulting warning was a perf buffer complaint about wanting 24,620 bytes while only 8,192 were available, whichof failure that makes a “diagnostic” path start behaving like a reliability bug.
The fix is conceptually simple, which is often a sign that the bug was caused by a missing guard rather than a flawed subsystem design. The patch introduces a cap of 128 entries for the dynamic arrays used by the tracepoint, applying min() during array-size calculation so the trace event only allocates what it needs up to that limit. It also records the full entry counts and marks the event as truncated when the cap is hit, allowing tooling and analysts to distinguish a complete sample from a shortened one. That approach preserves the usefulness of the trait robust against unusually large scatter-gather workloads.
At a higher level, this vulnerability reflects a recurring kernel lesson: trace instrumentation is not “free metadata.” When it serializes live kernel state into a fixed ring buffer, it must obey the same memory discipline as any other data path. The more dynamic the object being traced, the more important it becomes to choose conservative representation rules, even if that means the trace is incomplete in edge cases. In other words, a better bounded trace is usually more valuable than an unbounded one that can knock over the very subsystem it is observing.

How the Bug Emerged​

The CVE description gives a useful numeric illustration of the problem. With a large scatter-gather list, the tracepoint may need to emit thousands of bytes of address and length data. For 1,000 entries, physical addresses alone can consume about 8 KB, DMA addresses another 8 KB, and lengths an additional 4 KB. That lands well above the kernel’s perf trace maximum, and the overflow is not theoretical; the reported warning shows the kernel explicitly refusing a request that exceeded the buffer’s capacity. The bug is therefore not merely about performance or excess mema trace path that can no longer represent the event safely once the input crosses a scale threshold.

Why graphics workloads matter​

Graphics drivers are especially good at exposing this sort of edge case because they frequently work with large, fragmented, or imported buffers. In the Linux DRM ecosystem, buffer management often involves scatter-gather structures, DMA-BUF attachments, and hardware-facing mappings that are wider than what a simple desktop workload would generate. The kernel’s DMA-BUF documentation and DRM memory-management docs both emphasize that these paths rely on scatter lists and mapped attachments as foundational building blocks, not as unusual exceptions. That means a tracepoint that looks safe under modest loads can still fail in production on systems doing real graphics work.
This is also why the CVE reads like a “small bug, large footprint” issue. A virtio-gpu guest generating a substantial buffer can create a scatter-gather list large enough to trip the tracepoint even if the underlying DMA operation itself succeeds normally. The tracing subsystem then becomes the failure point, not the workload. That separation matters operationally because administrators maykernel log and assume the graphics path is broken, when the root cause is actually the trace event trying to over-serialize an oversized list.

What makes the tracepoint fragile​

The tracepoint’s fragility comes from the fact that it tries to materialize three parallel arrays. That is a lot of per-entry overhead even before the event size is computed, and it scales linearly with the number of scatter-gather entries. Once the count is high enough, the tracepoint’s own bookkeeping becomes the dominant consumer of buffer space. The Linux perf infrastructure has a hard ceiling for trace event size, so the point of failure is predictable once the event exceeds that ceiling by design.
The best way to understand the patch is to think of it as converting an assume the trace fits model into an emit as much as possible, then say so model. That is a subtle but important shift. It acknowledges that trace consumers may nothe original list to diagnose a problem, but they do need truthful metadata about how much of the event they actually received. That is the essence of a good bounded telemetry design.

The Fix Strategy​

The upstream fix does not attempt to redesign the tracing infrastructure or increase the perf buffer limit. Instead, it constrains the size of the arrays generated for the dma_map_sg tracepoint to a manageable maximum. This is exactly the kind of surgical patch kernel maintainers prefer when the problem is in event composition rather than in DMA itself. The code now sizes arrays_TRACE_MAX_ENTRIES)`, which means small operations remain compact, while large ones are deliberately truncated before they can exceed the trace buffer’s capacity.

Why 128 entries is enough​

Capping the arrays at 128 entries is a compromise between utility and safety. It is large enough to preserve meaningful samples for most operations and small enough to keep the trace event comfortably within the perf buffer ceiling. In practical terms, the kernel only needs enough detail to show the shape of the mapping and enough context to idents. Once the event grows beyond that, the incremental diagnostic value drops sharply while the risk of exhausting the trace buffer rises fast.
There is also an important ergonomics angle here. A smaller cap avoids wasting memory on ordinary cases, because the patch does not allocate a fixed maximum every time. That was one of the changes made in v2: use the actual count, bounded by the cap, rather than always reserving the cap’s full size. T of the kernel’s bias toward pay only for what you need, especially in code that may be hit frequently during tracing.

Why the truncated flag matters​

A tracepoint that silently drops data is dangerous because it can mislead analysts into assuming they saw a complete event. The fix avoids that by carrying the full counts and a truncated flag, making the loss of detail explicit. That design choice improves the tracepoint’s honesty, which is often more valuable than completeness when instrumentation must operate within tight bounds. Observability tools ca to treat the event as partial, correlate it with other samples, or ignore it for certain analyses.
This is also a good reminder that security fixes and diagnostics are not always opposites. A better tracepoint can be both safer and more useful. By keeping the original counts visible, the patch preserves the forensic value of the trace while preventing a buffer overrun iself. That balance is what makes the fix elegant rather than merely defensive.

Impact on Tracing and Perf​

Tracepoints are often used by developers, performance engineers, and kernel diagnosticians who assume that instrumentation will be low-risk. CVE-2026-23390 undermines that assumption in a very specific way: the tracepoint itself becomes a source of instability when it tries to record a pathological but legitimate workload. The kernel warning in the CVE description is especially notable because it shows the failure as a perf buffer sizing issue, not as a traditional memory corruption inside the DMA subsystem. That meanered by visibility tooling, not by the primary data path.

The cost of oversized event payloads​

When trace events get too big, they can exhaust the available buffer budget in ways that are difficult to predict from the call site. That becomes more likely when the event includes several dynamic arrays, as the dma_map_sg tracepoint does. Each extra field multiplies the total event size, and when the input count is large enough, the cost grows beyond what perf was designed to hold. This is a classic example of a diagnostic path having a hidden scaling limit.
For production systems, the practical consequence is less about an immediate crash and more about the risk of noisy warnings, failed trace collection, and degraded trust in tracing output. That still matters. Administrators and performance teams often use trace data to answer urgent questions during outages,tem that fails under high-load conditions can block root-cause analysis at exactly the wrong time.

How this affects tooling​

Tooling that consumes perf tracepoint data will need to respect the new truncation semantics. That is a healthy change, but it also means downstream scripts and observability pipelines should not assume every trace sample contains a full scatter-gather list. Instead, consumers should treat the new flag as an integrity signal and decide whether partial data is acceptable for their use case. In practice, that may mean updaers, or alerting logic that previously relied on all entries being available.
The upside is that the tracepoint now behaves more like a bounded sampler than a full data dump. That is usually the right tradeoff for kernel observability. A trace event should help answer questions, not create a larger availability problem than the one it is intended to diagnose.

Enterprise and Consumer Implications​

For consumer systems, the most visible effect will probably be indirect: users may never know this CVE exists unless they are running a kernel with tracing enabled and encounter the warning during a graphics-heavy workload. Most desktop users do not trace dma_map_sg events in day-to-day use. But on developer workstations, tnes used for kernel debugging, the issue could show up as a frustrating trace failure during high-volume GPU activity.
Enterprise environments have a broader exposure profile because they often mix diagnostics, virtualization, and graphics acceleration across many host types. A hypervisor or cloud guest using virtio-gpu may generate the very sort of large scatter-gather lists that expose the bug, and enterprises are more likely than consumers to run detailed tracing during performance investigations. That makes the CVE relevant not because it is remotely exploitable in a dcause it can interfere with operational observability in a way that slows down incident response.

Why Microsoft is tracking it​

Microsoft’s publication of the issue through its Security Update Guide is important because it makes the Linux kernel fix part of a mainstream enterprise vulnerability workflow. Microsoft routinely surfaces external CVEs in its update guidance, even when the affected code is Linux rather than Windows. For organizations that normalize all advisories through one security operations process, this kind of publication is the sias crossed from upstream kernel development into patch-management territory.
That visibility does not change the technical nature of the bug, but it does change how quickly it gets noticed. Enterprises often triage by source, and a Microsoft entry can trigger faster review than a standalone kernel mailing list discussion. In path to publication is as important as the bug itself.

A mixed fleet problem​

Mixed Windows/Linux fleets complicate the remediation picture. Even though the bug is in Linux, the vulnerability may still sit inside a patch-management pipeline administered by teams that handle Windows endpoints, Linux servers, containers, and virtualization layers together. In that world, a Linux CVE published by Microsoft is not unusual; it is just one more item in a shared intake queue. The challenge is making sure it gets routed to the Linux kernually validate and deploy the fix.
That separation of publication and remediation is a recurring modern enterprise theme. Visibility is increasingly platform-agnostic, while the actual fix remains highly platform-specific. CVE-2026-rn perfectly.

Strengths and Opportunities​

The fix has several strengths that make it well-suited to stable backporting and low-risk deployment. It is narrow, it is mechanically simple, and it preserves the tracepoint’s utility while removing the overflow condition. Just as importantly, it leaves a paper trail for analysts by recording the original counts and the truncation status instead of discarding information silently. That makes the patch both safer and moreinimal behavioral disruption**: the patch changes trace sizing, not DMA behavior.

• Bounded allocation: the tracepoint now stays within a safe event-size envelope.
• Clear truncation semantics: tooling can detect when data was capped.
• Better memory discipline: small operations no longer pay for a fixed oversized allocation.
• Stable-tree friendly: the change is easy to backport without collateral feature churn.
• Improved observability honesty: partial data is labeled, not hidden.
• Good fit for enterprise maintenance: the bug is straightforward to triage and validate.

Wnel pattern​

The deeper opportunity here is architectural. The kernel is increasingly full of instrumentation paths that must serialize variable-length state into fixed buffers. Fixes like this establish a useful pattern: cap the payload, preserve the metadata, and be explicit about loss of detail. That is a model other tracepoints can follow when faced with similarly dynamic structures.

Risks and Concerns​

The main concern is not that the fix is weak, but that the bug sits in a path many people assume is harmless. Tracepoints are supposed to be passive, so operators may underestimate the importance of a tracing CVE until it disrupts a debug session or performance investigation. There is also a risk that downstream tooling may not yet understand the new truncated flag, which could create confusing partial are updated.

• Trace consumers may misread partial samples if they do not check the truncation indicator.
• Legacy tooling may assume complete arrays, leading to parsing quirks.
• Kernel warnings can still create operational noise on systems doing heavy DMA work.
• Vendor backports may lag across different stable branches and distro kernels.
• Diagnostics users may overtrust trace completeness unless they are trained to look for caps.
• Large graphics or virtualization workloads remain the trigger condition, so the issue will not disappear on its own.
• The bug is subtle enough to be overlooked in environments that rarely use kere subtle risk of “safe enough” tracing

There is a broader maintenance risk as well. Once a tracepoint has been capped, developers may be tempted to treat the event as “solved” and move on. But the real lesson is that every dynamic tracepoint needs an explicit size policy. If that policy is missing elsewhere in the kernel, the same pattern could recur in other subsystems that serialize large tables, arrays, or descriptor lists.

What to Watch Next​

The most important follow-up is whether downstream vendors have already pulled the fix into their supported kernel branches. Because the CVE was published with a specific kernel.org stable reference, it should not be difficult for distributions to backport, but timing will vary. Administrators should expect the patch to appear in vendor advisories or security eying on the mainline tree alone.
Another thing to watch is tooling adoption. Once tracepoints start advertising truncation explicitly, observability stacks may need updates so they can flag partial events correctly. That matters especially for teams that use perf traces in automated analysis, where a truncated sample could otherwise be mplete one.

Practical next steps​

• Verify whether your kernel build includes the dma_map_sg tracepoint fix.
• Check vendor advisories for backported versions and package names.
• Update any perf-trace parsers that rely on the old event layout.
• Treat truncation-aware trace data as partial, not complete.
• Re-run tracing workflows that rely on large DRM or virtio-gpu buffeger-term watch item is broader than this one CVE: kernel tracepoints that serialize dynamic arrays need explicit caps by default. As the kernel continues to instrument more subsystems, the boundary between “observability” and “resource pressure” will matter more, not less. That makes CVE-2026-23390 a modest bug with a disproportionately useful lesson.

The real significance of CVE-2026-23390 is that it shows how quickly an internal diagnostic path can become part of the security surface when it handles data at scale. The fix is small, the operational impact is contained, and the remediation path is clear, but the lesson is durable: kernel tracing must be engineered with the same discipline as kernel data paths. When a tracepoint can be triggered by ordinary graphics workloads and can overflow a fixed perf budget, it is no longer just a debugging aid; it is infrastructure that needs bounds, metadata, and respect.

---

Source: NVD / Linux Kernel Security Update Guide - Microsoft Security Response Center