Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Bug triggers on-device via specific queue-mapping conditions (AV:L/AC:H), needs local operational access to drive traffic (PR:L), and yields transient TX-stall availability loss only (A:L, C/I:N).
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: airoha: fix BQL imbalance in TX path
Fix a possible BQL imbalance in airoha_dev_xmit(), where inflight packets are accounted only for the AIROHA_NUM_TX_RING netdev TX queues. The queue index is computed as:
qid = skb_get_queue_mapping(skb) % ARRAY_SIZE(qdma->q_tx) txq = netdev_get_tx_queue(dev, qid);
However, airoha_qdma_tx_napi_poll() accounts completions across all netdev TX queues (num_tx_queues), leading to inconsistent BQL accounting.
Also reset all netdev TX queues in the ndo_stop callback.
AnalysisAI
Denial-of-service (TX queue stall) in the Linux kernel's Airoha QDMA Ethernet driver affects systems running on Airoha/MediaTek SoCs where airoha_dev_xmit() accounts inflight packets only across AIROHA_NUM_TX_RING queues while the NAPI completion path settles all netdev TX queues, corrupting Byte Queue Limits (BQL) state. The mismatch can wedge transmit queues and degrade or halt network throughput on the device. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the target to be running the Linux airoha_eth driver - i.e., an Airoha/MediaTek SoC with the QDMA Ethernet hardware - on a vulnerable kernel; the bug only manifests when traffic is distributed such that skb queue_mapping selects netdev TX queues beyond the AIROHA_NUM_TX_RING hardware rings, creating the enqueue/completion BQL accounting mismatch. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals conflict and should be read with caution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a device using the Airoha Ethernet driver, sustained or specifically patterned TX traffic causes BQL in-flight counters to drift out of sync between the enqueue and completion paths, eventually stalling one or more transmit queues and degrading or halting outbound networking until the interface is reset. No public exploit code exists, and given AC and the on-device nature of the trigger, this is more likely to manifest as a reliability failure than a deliberately driven attack. |
| Remediation | Upstream fix available (commits, not a single vendor release tag): apply the stable kernel update containing commits aaad53a55812acd2355c0e5478896381e78b0110, 2d9f5a118205da2683ffcec78b9347f1f01a820e, or ded2694247a55a16d0ebbe2d6f9139305c21457a (https://git.kernel.org/stable/c/aaad53a55812acd2355c0e5478896381e78b0110, https://git.kernel.org/stable/c/2d9f5a118205da2683ffcec78b9347f1f01a820e, https://git.kernel.org/stable/c/ded2694247a55a16d0ebbe2d6f9139305c21457a); per the source feed this corresponds to stable releases such as 6.18.33/7.0.10/7.1 - confirm the exact tag for your tree before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify systems running Airoha/MediaTek SoCs with vulnerable driver versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38851
GHSA-mvhp-248j-7g76