Skip to main content

Linux EUVDEUVD-2026-18774

| CVE-2026-31396 HIGH
Use After Free (CWE-416)
2026-04-03 Linux
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 16, 2026 - 05:29 EUVD
5653af416a48f6c18f9626ae9df96f814f45ff34,8da13e6d63c1a97f7302d342c89c4a56a55c7015,341d01087f821aa0f165fb1ffc8bfe4e50776da7
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18774
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:16 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: macb: fix use-after-free access to PTP clock

PTP clock is registered on every opening of the interface and destroyed on every closing. However it may be accessed via get_ts_info ethtool call which is possible while the interface is just present in the kernel.

BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 Read of size 4 at addr ffff8880194345cc by task syz.0.6/948

CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x17f/0x496 mm/kasan/report.c:420 kasan_report+0xd9/0x180 mm/kasan/report.c:524 ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426 gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349 macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371 __ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558 ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline] __dev_ethtool net/ethtool/ioctl.c:3017 [inline] dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095 dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510 sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215 sock_ioctl+0x577/0x6d0 net/socket.c:1320 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 </TASK>

Allocated by task 457: kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235 gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375 macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920 __dev_open+0x2ce/0x500 net/core/dev.c:1501 __dev_change_flags+0x56a/0x740 net/core/dev.c:8651 dev_change_flags+0x92/0x170 net/core/dev.c:8722 do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833 __rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608 rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655 rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150 netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x14b/0x180 net/socket.c:730 __sys_sendto+0x320/0x3b0 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Freed by task 938: kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook mm/slub.c:1755 [inline] slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x320 mm/slub.c:3700 device_release+0xa0/0x240 drivers/base/core.c:2507 kobject_cleanup lib/kobject.c:681 [inline] kobject_release lib/kobject.c:712 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1cd/0x350 lib/kobject.c:729 put_device+0x1b/0x30 drivers/base/core.c:3805 ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391 gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404 macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966 __dev_close_many+0x1b9/0x310 net/core/dev.c:1585 __dev_close net/core/dev.c:1597 [inline] __dev_change_flags+0x2bb/0x740 net/core/dev.c:8649 dev_change_fl ---truncated---

AnalysisAI

Use-after-free vulnerability in Linux kernel's Cadence MAC (macb) driver allows local attackers to read freed memory via ethtool get_ts_info calls on PTP-capable network interfaces. The PTP clock is registered when the interface opens and destroyed when it closes, but the ethtool handler can still access it after deallocation, causing a kernel memory access violation. No active exploitation confirmed; patch available in stable kernel releases.

Technical ContextAI

The Cadence MAC (macb) driver manages Ethernet interfaces and implements PTP (Precision Time Protocol) clock functionality for timestamp information. The vulnerability exists in the synchronization between PTP clock lifecycle (registered via gem_ptp_init on interface open, destroyed via gem_ptp_remove on interface close) and the ethtool get_ts_info handler (accessible via ethtool ioctl syscalls at any time the interface exists). The root cause is a use-after-free memory safety error (CWE-416) where the gem_get_ts_info function in drivers/net/ethernet/cadence/macb_main.c accesses a PTP clock structure (ptp_clock) that may have been freed when the interface was closed. The ethtool handler calls ptp_clock_index, which reads freed kernel memory allocated by ptp_clock_register in drivers/ptp/ptp_clock.c. The bug manifests as a KASAN (Kernel Address Sanitizer) detected use-after-free when reading 4 bytes from a deallocated slab object. The affected CPE indicates all Linux kernel versions with the macb driver prior to the fix commit.

RemediationAI

Update Linux kernel to a patched stable release containing commit 341d01087f821aa0f165fb1ffc8bfe4e50776da7 or one of the related fix commits (5653af416a48f6c18f9626ae9df96f814f45ff34, 0bb848d8c64938024e45780f8032f1f67d3a3607, 1f4714065b2bcbb0a4013fd355b84b848e6cc345, eb652535e9ec795ef5c1078f7578eaaed755268b, 8da13e6d63c1a97f7302d342c89c4a56a55c7015). Check your Linux distribution's advisory for the specific patched kernel version applicable to your release. The fix synchronizes PTP clock lifecycle with ethtool handler access, preventing access to freed memory. Users unable to patch immediately should restrict local access to ethtool ioctl syscalls via SELinux, AppArmor, or seccomp policies to prevent untrusted local code from triggering the vulnerability. Refer to the stable kernel git repository (https://git.kernel.org/stable/) for complete patch details and affected stable branch information.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-18774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy