Skip to main content

Linux Kernel EUVDEUVD-2026-32869

| CVE-2026-46110 HIGH
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-5hfj-3vgw-hm4r
7.5
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:48 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.5 (HIGH)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: Prevent NULL deref when RX memory exhausted

The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions."

In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the cur_rx index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments cur_rx modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with dirty_rx, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called.

This means descriptors have a three-stage lifecycle (terms my own):

  • empty (OWN=1, buffer valid)
  • full (OWN=0, buffer valid and populated)
  • dirty (OWN=0, buffer NULL)

But because stmmac_rx() only checks OWN, it confuses full/dirty. In the past (see 'Fixes:'), there was a bug where the loop could cycle cur_rx all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for full. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at dma_rx_size - 1, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover dirty descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for cur_rx to catch up to dirty_rx.

Fix this by explicitly checking, before advancing cur_rx, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the cur_rx == dirty_rx ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there.

In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more empty descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.

AnalysisAI

Denial of service in the Linux kernel's stmmac Ethernet driver allows remote attackers to trigger a NULL pointer dereference and kernel panic on systems using STMicroelectronics MAC network controllers under sustained memory pressure. The flaw stems from incomplete handling of the DMA RX descriptor ring lifecycle, where stmmac_rx() cannot distinguish 'full' from 'dirty' descriptors when stmmac_rx_refill() fails to allocate replacement buffers. EPSS rates exploitation probability at only 0.02% (5th percentile), and no public exploit identified at time of analysis.

Technical ContextAI

The vulnerability is in the stmmac driver (drivers/net/ethernet/stmicro/stmmac/), which supports STMicroelectronics' Synopsys DesignWare Ethernet MAC IP found in many ARM SoCs (STM32, Allwinner, Rockchip, Amlogic, NXP i.MX, etc.). The driver uses conventional DMA with a shared ring of descriptors between CPU and MAC, coordinated via an OWN flag. Each descriptor cycles through three logical states: 'empty' (OWN=1, buffer valid, awaiting MAC), 'full' (OWN=0, buffer populated, awaiting CPU), and 'dirty' (OWN=0, buffer pointer NULLed after handoff to network stack). The receive path only inspects OWN and cannot disambiguate 'full' from 'dirty'; when memory pressure prevents stmmac_rx_refill() from re-arming descriptors, cur_rx can catch up to dirty_rx and the code dereferences a NULL buffer pointer. The root cause class is a NULL pointer dereference (CWE-476) caused by incomplete state tracking in a producer/consumer ring; a prior partial fix capped loop iterations to dma_rx_size - 1, but that did not cover the leftover-dirty case. The fix in commits 0bb05e6a, 4af2e62c, 5c910f77, 950cb436, and e1c50b27 explicitly checks for a dirty descriptor before advancing cur_rx and applies the same correction to the zero-copy variant stmmac_rx_zc().

RemediationAI

Vendor-released patch: upgrade to Linux 6.6.140, 6.12.88, 7.0.7, 6.18.30, or 7.1-rc2 or later, depending on which stable branch you track; the relevant upstream commits are 0bb05e6adfa9, 4af2e62cbcda, 5c910f7708e3, 950cb436165a, and e1c50b273298, all available via https://git.kernel.org/stable/. Distribution users should pull the corresponding kernel update from their vendor (e.g., Debian, Ubuntu, RHEL, SUSE, or the relevant embedded BSP). No documented workaround exists in the driver itself since the bug is in core RX descriptor handling, but as a compensating control on affected embedded devices you can reduce the likelihood of memory-starvation-induced panics by reserving kernel memory via min_free_kbytes tuning, lowering the stmmac RX ring size (ethtool -G) to reduce per-queue memory pressure, or constraining workloads that compete for GFP_ATOMIC allocations; these mitigate the trigger but do not eliminate the underlying defect and may reduce throughput. If the device is exposed to untrusted networks, restricting inbound traffic rates with upstream policing reduces sustained pressure on the RX path.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32869 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy