{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31501", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.104Z", "datePublished": "2026-04-22T13:54:21.749Z", "dateUpdated": "2026-05-11T22:09:57.815Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:09:57.815Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path\n\ncppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.\nIn both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is\nfreed via k3_cppi_desc_pool_free() before the psdata pointer is used\nby emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].\nThis constitutes a use-after-free on every received packet that goes\nthrough the timestamp path.\n\nDefer the descriptor free until after all accesses through the psdata\npointer are complete. For emac_rx_packet(), move the free into the\nrequeue label so both early-exit and success paths free the descriptor\nafter all accesses are done. For emac_rx_packet_zc(), move the free to\nthe end of the loop body after emac_dispatch_skb_zc() (which calls\nemac_rx_timestamp()) has returned."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/ti/icssg/icssg_common.c"], "versions": [{"version": "46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86", "lessThan": "d5827316debcb677679bb014885d7be92c410e11", "status": "affected", "versionType": "git"}, {"version": "46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86", "lessThan": "eb8c426c9803beb171f89d15fea17505eb517714", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/ti/icssg/icssg_common.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.11", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11"}, {"url": "https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714"}], "title": "net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "042B87CE-9A59-4732-B045-5A732EC6BE59", "versionEndExcluding": "6.19.11", "versionStartIncluding": "6.15.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path\n\ncppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.\nIn both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is\nfreed via k3_cppi_desc_pool_free() before the psdata pointer is used\nby emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].\nThis constitutes a use-after-free on every received packet that goes\nthrough the timestamp path.\n\nDefer the descriptor free until after all accesses through the psdata\npointer are complete. For emac_rx_packet(), move the free into the\nrequeue label so both early-exit and success paths free the descriptor\nafter all accesses are done. For emac_rx_packet_zc(), move the free to\nthe end of the loop body after emac_dispatch_skb_zc() (which calls\nemac_rx_timestamp()) has returned."}], "id": "CVE-2026-31501", "lastModified": "2026-04-28T13:50:58.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-22T14:16:48.597", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path", "id": "2460697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460697"}, "csaw": false, "cwe": "CWE-825", "details": ["A flaw was found in the Linux kernel's `net: ti: icssg-prueth` driver. This use-after-free vulnerability occurs in the receive (RX) path, where a data structure (CPPI descriptor) is released from memory before all necessary operations on its contents are complete. A remote attacker could exploit this by sending specially crafted network packets, potentially leading to memory corruption and system instability or denial of service."], "name": "CVE-2026-31501", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31501\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31501\nhttps://lore.kernel.org/linux-cve-announce/2026042205-CVE-2026-31501-113b@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86,d5827316debcb677679bb014885d7be92c410e11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86,eb8c426c9803beb171f89d15fea17505eb517714)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.15"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.15)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.11,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-29T00:02:35.757968+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the patch for the TI ICSSG PRU Ethernet driver.", "Reboot the system so the upgraded kernel and driver are loaded.", "If the TI ICSSG PRU Ethernet driver is not required for your environment, consider disabling or removing it until a patch is available.", "As a temporary measure, disable packet timestamping on the affected interface to avoid the use\u2011after\u2011free path."], "summary": {"action": "Apply Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The flaw is present in the Linux kernel\u2019s TI ICSSG PRU Ethernet driver (net:ti:icssg-prueth). All distributions that ship a kernel compiled with this driver enabled are affected. The CPE data indicates that the issue exists in all kernel versions before the fix, so administrators should upgrade to the latest stable kernel release that incorporates the patch.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free in the Linux kernel TI ICSSG PRU Ethernet driver. When a descriptor pointer returned by cppi5_hdesc_get_psdata() is freed before the timestamp handling code dereferences it, the driver triggers a use\u2011after\u2011free on every packet that enables timestamping. The resulting memory corruption can cause a kernel crash, but the CVE description does not mention any capability for arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 9.8 classifies this flaw as critical, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. It can be triggered by any packet processed by the driver when timestamping is performed, so a threat actor could potentially send crafted network traffic to reproduce the use\u2011after\u2011free and destabilize the system. The documented impact is memory corruption and possible system crash; no evidence of privilege escalation or code execution is provided."}}}}, "created": "2026-04-22T17:45:22.660619+00:00", "updated": "2026-04-29T00:15:43.457593+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}