Skip to main content

Linux Kernel CVE-2026-31395

| EUVDEUVD-2026-18772 HIGH
Out-of-bounds Read (CWE-125)
2026-04-03 Linux GHSA-prjx-7cfw-rqr7
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Updated
May 20, 2026 - 15:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 20, 2026 - 15:22 vuln.today
cvss_changed
CVSS changed
May 20, 2026 - 15:22 NVD
7.1 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8,64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18772
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory.

The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).

AnalysisAI

Out-of-bounds read and write in the Broadcom bnxt_en network driver of the Linux kernel allows a malicious or compromised NIC to corrupt kernel heap memory or crash the system. The flaw resides in the DBG_BUF_PRODUCER async event handler, which uses a firmware-supplied 16-bit 'type' field as an unchecked index into the bp->bs_trace[] array. No public exploit identified at time of analysis and EPSS rates exploitation probability at just 0.02%, but the impact on confidentiality and availability is high where the trust boundary between NIC firmware and kernel is relevant.

Technical ContextAI

The bnxt_en driver supports Broadcom NetXtreme-C/E Ethernet controllers (BCM573xx/574xx/575xx series) widely deployed in enterprise and cloud servers. The bug is rooted in CWE-125 (Out-of-bounds Read) but the patch description shows it also enables an out-of-bounds write through bnxt_bs_trace_check_wrap(), which dereferences a magic_byte pointer and writes to last_offset and wrapped fields at the attacker-influenced offset. The vulnerable code path processes async event completions from DMA-mapped ring memory that the NIC writes directly to host RAM, meaning the kernel treats untrusted device-supplied data as a trusted index without validating it against the bounds of the bs_trace[] array (which only legitimately covers values 0x0-0xc).

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.20, 6.19.10, or 7.0-rc5 (or later) which contain the bounds check defining BNXT_TRACE_MAX, per the stable commits at https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8, https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b, and https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3. For systems that cannot be patched immediately, compensating controls include unloading the bnxt_en module on hosts that do not use Broadcom NetXtreme NICs (trade-off: loss of network connectivity on affected hardware), avoiding pass-through of Broadcom NICs to untrusted guests in virtualization or confidential computing scenarios, and ensuring NIC firmware is sourced only from Broadcom signed releases to reduce the risk of firmware tampering. There is no userspace-level workaround since the trust boundary is between device firmware and kernel.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy