Skip to main content

Linux Kernel iavf CVE-2026-31505

| EUVDEUVD-2026-24882 HIGH
Out-of-bounds Write (CWE-787)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j72v-jx24-rm3p
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 28, 2026 - 15:07 vuln.today
cvss_changed
Patch released
Apr 28, 2026 - 15:06 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:24 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24882
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()

iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the value could change in runtime, we should use num_tx_queues instead.

Moreover iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues, which triggers out-of-bounds writes when we do "ethtool -L" and "ethtool -S" simultaneously [1].

For example when we change channels from 1 to 8, Thread 3 could be scheduled before Thread 2, and out-of-bounds writes could be triggered in Thread 3:

Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S) iavf_set_channels() ... iavf_alloc_queues() -> num_active_queues = 8 iavf_schedule_finish_config() iavf_get_sset_count() real_num_tx_queues: 1 -> buffer for 1 queue iavf_get_ethtool_stats() num_active_queues: 8 -> out-of-bounds! iavf_finish_config() -> real_num_tx_queues = 8

Use immutable num_tx_queues in all related functions to avoid the issue.

[1] BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800

CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x180 iavf_add_one_ethtool_stat+0x200/0x270 iavf_get_ethtool_stats+0x14c/0x2e0 __dev_ethtool+0x3d0c/0x5830 dev_ethtool+0x12d/0x270 dev_ioctl+0x53c/0xe30 sock_do_ioctl+0x1a9/0x270 sock_ioctl+0x3d4/0x5e0 __x64_sys_ioctl+0x137/0x1c0 do_syscall_64+0xf3/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7da0e6e36d ... </TASK>

The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813a013de0 pfn:0x13a013 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected

Memory state around the buggy address: ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

AnalysisAI

Out-of-bounds memory write in Linux kernel iavf (Intel Adaptive Virtual Function) driver allows local authenticated attackers with low privileges to achieve high confidentiality, integrity, and availability impact via race condition during concurrent ethtool operations. The vulnerability stems from inconsistent use of queue counters (real_num_tx_queues vs num_active_queues vs num_tx_queues) across ethtool statistics functions, enabling memory corruption when changing network channels via 'ethtool -L' while simultaneously querying statistics with 'ethtool -S'. Patches available for kernel versions 6.12.80, 6.18.21, 6.19.11, and 7.0. EPSS exploitation probability is low (0.02%, 5th percentile) with no public exploit or active exploitation identified at time of analysis.

Technical ContextAI

The iavf driver manages Intel Adaptive Virtual Function (SR-IOV) network interfaces in virtualized environments. The vulnerability arises from a classic time-of-check-time-of-use (TOCTOU) race condition in the ethtool statistics implementation. Specifically, iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues to determine buffer size allocation, while iavf_get_ethtool_stats() uses num_active_queues to populate statistics. Since real_num_tx_queues can change at runtime during queue reconfiguration, a race window exists where Thread 1 (ethtool -L changing channels from 1 to 8) updates num_active_queues to 8, Thread 3 (ethtool -S) allocates a buffer for only 1 queue based on the old real_num_tx_queues value, then attempts to write 8 queues of statistics into that undersized buffer before Thread 2's iavf_finish_config() updates real_num_tx_queues to 8. This triggers a vmalloc-out-of-bounds write condition detected by KASAN. The fix enforces use of immutable num_tx_queues across all ethtool statistics functions, eliminating the race condition. This affects kernel versions introducing commit 64430f70ba6f through patches in 6.12.80+, 6.18.21+, 6.19.11+, and 7.0+.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.80 or later for 6.12.x series (commit bb85741d2dc2be207353a412f51b83697fcbefcf), 6.18.21 or later for 6.18.x series (commit fecacfc95f195b99c71c579a472120d0b4ed65fa), 6.19.11 or later for 6.19.x series (commit 1f931dee5b726df1940348ec31614d64bac03aa6), or 7.0 stable (commit fdf902bf86a80bf15792a1d20a67a5302498d7f1). Patches available from https://git.kernel.org/stable/c/ with commit IDs listed above. If immediate patching is not feasible, implement compensating controls: restrict ethtool command execution to dedicated maintenance windows with serialized operations, disable concurrent administrative sessions on iavf-enabled systems, or implement wrapper scripts enforcing mutex locks around ethtool -L and ethtool -S operations (though this introduces operational complexity and may impact monitoring tools). Monitor kernel logs for KASAN vmalloc-out-of-bounds reports as potential exploitation indicators. Note that disabling iavf entirely eliminates risk but breaks SR-IOV virtual function networking, unacceptable in most virtualized environments.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31505 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy