Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
TX cleanup bug is triggered locally on GENET hardware via timing-sensitive ring exhaustion (AV:L/AC:H/PR:L); impact is mainly crash (A:H) with possible stale-data leak (C:L), not RCE.
Primary rating from Vendor (Linux).
CVSS VectorVendor: Linux
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
The write_ptr points to the next open tx_cb. We want to return the tx_cb that gets rewinded, so we must rewind the pointer first then return the tx_cb that it points to. That way the txcb can be correctly cleaned up.
AnalysisAI
Memory mishandling in the Linux kernel's Broadcom GENET (bcmgenet) Ethernet driver stems from an off-by-one error in bcmgenet_put_txcb(), where the function returned the wrong transmit control block (tx_cb) because the write pointer was rewound after reading instead of before, causing incorrect cleanup of TX descriptors. The flaw affects systems using Broadcom GENET network controllers (notably Raspberry Pi 4/5 and various Broadcom SoCs) running affected kernels prior to the stable fixes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the host to actually use the Broadcom GENET Ethernet controller (bcmgenet driver) - i.e., specific Broadcom SoC hardware such as Raspberry Pi 4/5 or comparable BCM platforms; systems without this NIC are not affected regardless of kernel version. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals conflict and should be reconciled before prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user or a workload on a Broadcom GENET-equipped host (such as a Raspberry Pi) drives heavy or crafted transmit traffic through the onboard Ethernet interface, exercising the TX cleanup path so that bcmgenet_put_txcb() mismanages a transmit control block. The resulting state corruption can crash the driver/kernel (denial of service) or surface stale descriptor data. … |
| Remediation | Vendor-released patch: update to a fixed stable kernel - 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or mainline 7.1 (or later on your branch), pulling the corresponding distribution kernel update once your vendor ships it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit inventory for Broadcom GENET devices (Raspberry Pi 4/5, Broadcom SoC platforms). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38956
GHSA-mqvv-mhq8-mx45