Skip to main content

Linux Kernel EUVDEUVD-2026-24878

| CVE-2026-31501 CRITICAL
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-6xxj-984x-2f74
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 28, 2026 - 13:52 vuln.today
cvss_changed
Analysis Generated
Apr 27, 2026 - 15:23 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24878
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path

cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path.

Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.

AnalysisAI

Use-after-free in Linux kernel ICSSG PRU Ethernet driver allows remote code execution with CVSS 9.8 scoring. Affects TI ICSSG network driver in kernels 6.15 through 7.0 (patched in 6.19.11 and 7.0). The flaw causes CPPI descriptors to be freed before timestamp processing completes on every received packet, creating a exploitable memory corruption condition. Despite critical CVSS scoring, EPSS probability is very low (0.02%, 5th percentile) and no active exploitation or public POC has been identified. The network attack vector (AV:N) combined with zero-day timing suggests this may be scored for worst-case remote exploitation scenario, but actual exploitability via network packets requires deeper investigation of ICSSG hardware context and packet processing pipeline.

Technical ContextAI

This vulnerability affects the Texas Instruments ICSSG (Industrial Communication SubSystem Gigabit) PRU Ethernet driver (icssg-prueth) in the Linux kernel networking stack. ICSSG is a specialized hardware networking subsystem used in TI embedded processors for industrial Ethernet protocols. The driver uses CPPI5 (Common Platform Packet Interface version 5) DMA descriptors to manage packet buffers. The vulnerability occurs in the receive path where cppi5_hdesc_get_psdata() retrieves a pointer to protocol-specific data embedded within the CPPI descriptor structure. In both the standard RX handler (emac_rx_packet) and zero-copy RX handler (emac_rx_packet_zc), k3_cppi_desc_pool_free() returns the descriptor to the free pool before emac_rx_timestamp() dereferences psdata[0] and psdata[1] to extract hardware timestamps. Once freed, the descriptor memory can be reallocated and overwritten by concurrent DMA operations, causing the timestamp code to read attacker-influenced memory. This is a classic temporal memory safety issue where object lifetime management fails across function call boundaries in the packet processing hot path.

RemediationAI

Upgrade to Linux kernel 6.19.11 or 7.0 or later, which include upstream fixes via commits d5827316debcb677679bb014885d7be92c410e11 and eb8c426c9803beb171f89d15fea17505eb517714 that defer CPPI descriptor deallocation until after all psdata pointer accesses complete. For distributions providing backported patches, apply vendor-specific kernel updates containing these commits. If immediate patching is not feasible for industrial/embedded systems with operational constraints, implement these compensating controls with noted trade-offs: Disable hardware timestamping on ICSSG interfaces via 'ethtool -K <interface> rx-timestamping off' (eliminates PTP/time-sensitive networking functionality required for industrial protocols like EtherCAT or PROFINET). Unload the icssg-prueth kernel module and use alternative network interfaces if available (loses ICSSG hardware offload capabilities). Deploy kernel memory safety mitigations including CONFIG_SLAB_FREELIST_HARDENED and CONFIG_INIT_ON_FREE_DEFAULT_ON to increase exploitation difficulty (adds 2-5% performance overhead to packet processing). These workarounds significantly impact industrial networking capabilities and should only be temporary measures pending full patching.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy