Skip to main content

Linux Kernel CVE-2026-43031

| EUVDEUVD-2026-26630 HIGH
2026-05-01 Linux
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:36 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.5 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26630
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets

When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue.

The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.

AnalysisAI

Linux kernel axienet driver can permanently stall network transmit queues due to incorrect Byte Queue Limits (BQL) accounting when scatter-gather TX packets span multiple NAPI polls. When a multi-buffer-descriptor packet completes across different polling cycles, only partial byte counts are credited to BQL, causing the subsystem to incorrectly believe bytes remain in-flight indefinitely and halting transmission. Vendor patches available for stable branches (6.18.22, 6.19.12, 7.0). EPSS exploitation probability is 2% (4th percentile), no active exploitation confirmed, indicating low real-world targeting despite the 7.5 CVSS score.

Technical ContextAI

The Xilinx AXI Ethernet driver in the Linux kernel implements scatter-gather DMA using multiple buffer descriptors (BDs) per packet. The Byte Queue Limits (BQL) subsystem tracks in-flight TX bytes to prevent queue bloat. The axienet_free_tx_chain function accumulates transmitted byte counts from BD status fields, but this accumulator resets on each NAPI polling cycle. When a multi-BD packet's descriptors complete across different poll invocations, only the bytes from the final poll are credited via netdev_completed_queue, while earlier BDs' bytes are lost. This creates a permanent accounting mismatch: netdev_sent_queue debits the full skb->len, but netdev_completed_queue only credits partial bytes. BQL interprets this as perpetually in-flight data and eventually stops the queue via __netdev_tx_sent_queue logic. The fix stores SKB pointers only on the last BD and uses skb->len for the complete byte count, ensuring atomic per-packet accounting immune to poll boundaries. Affected CPE indicates all Linux kernel versions with commits descending from c900e49d58eb until patches 3c3a6b9020c0 (stable), d1978d03e867 (stable), and 2a0323a91310 (mainline).

RemediationAI

Update Linux kernel to patched versions: 6.18.22 or later for 6.18.x series, 6.19.12 or later for 6.19.x series, or 7.0 final release for mainline. Patches available from kernel.org stable trees at references above (commits 3c3a6b9020c0, d1978d03e867, 2a0323a91310). Validate fix by checking axienet_free_tx_chain function uses skb->len instead of summing BD status lengths. If immediate patching is infeasible for Xilinx-based systems, implement compensating controls: reduce MTU to prevent multi-BD packet fragmentation (typically below 1500 bytes may keep packets within single descriptors depending on driver configuration, though effectiveness varies by hardware buffer size-test thoroughly in staging), or disable scatter-gather offload via ethtool -K <interface> sg off (degrades performance as kernel copies fragmented buffers but prevents BQL stall; expect 15-30% throughput reduction under mixed workload). Monitor TX queue depth via tc -s qdisc show dev <interface> for anomalous growth indicating BQL miscalculation. These workarounds trade performance for stability and should be temporary.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy