Skip to main content

Linux Kernel CVE-2026-31644

| EUVDEUVD-2026-25537 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-24xp-grcx-7gv9
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:19 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:40 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25537
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:44 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()

When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems.

Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it.

Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.

AnalysisAI

Use-after-free in Linux kernel's lan966x network driver allows local authenticated attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The flaw occurs in lan966x_fdma_reload() when RX buffer allocation fails - freed pages remain referenced by active DMA descriptors, causing hardware to write into memory now controlled by other kernel subsystems. Vendor patches available for stable branches 6.12.82, 6.18.23, 6.19.13, and mainline 7.0. EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis, but successful exploitation grants kernel-level privileges to local attackers.

Technical ContextAI

The vulnerability resides in the lan966x Ethernet controller's FDMA (Fast DMA) subsystem within the Linux kernel network stack. The lan966x driver uses page pools (a kernel memory management optimization for network buffers) to manage DMA receive descriptors. During descriptor reload operations triggered by buffer reallocation, the code incorrectly releases pages back to the kernel's buddy allocator via page_pool_put_full_page() before ensuring new buffers are successfully allocated. This creates a classic use-after-free condition where hardware DMA descriptors still reference freed memory regions that may have been reallocated to other kernel subsystems (filesystem caches, process memory, etc.). The secondary resource leak occurs because partially successful allocations create a new page pool object that gets overwritten without proper cleanup. The affected code path is specific to Microchip's LAN966x family of Ethernet switch controllers, impacting kernel versions containing commit 89ba464fcf548d64bc7215dfe769f791330ae8b6 through the patched releases.

RemediationAI

Upgrade to patched kernel versions: 6.12.82 or later for the 6.12 LTS branch, 6.18.23 or later for 6.18 stable, 6.19.13 or later for 6.19 stable, or 7.0 or later for mainline. Patches available at https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84 (7.0), https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801 (6.19), https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f (6.18), and https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e (6.12). For systems where immediate kernel updates are not feasible, restrict local user access to trusted administrators only, as the vulnerability requires authenticated local access. Memory pressure conditions that trigger buffer reallocation failures could be avoided through resource reservations, but this is unreliable mitigation - kernel patching is the only complete remedy. Organizations using lan966x hardware in critical infrastructure should schedule maintenance windows for kernel upgrades within standard patch cycles, as the local-only attack vector does not require emergency out-of-band patching unless untrusted local users have access.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy