CVE-2026-31501
Published: Apr 22, 2026
Modified: May 11, 2026
CVSS v3.1
9.8
Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.
| Vendor | Product | Versions |
|---|---|---|
Linux | Linux | affected 46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 - < d5827316debcb677679bb014885d7be92c410e11affected 46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 - < eb8c426c9803beb171f89d15fea17505eb517714 |
Linux | Linux | affected 6.15unaffected 0 - < 6.15unaffected 6.19.11 - <= 6.19.*unaffected 7.0 - <= * |
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now