{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31646", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.127Z", "datePublished": "2026-04-24T14:44:59.874Z", "dateUpdated": "2026-05-11T22:12:50.586Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:50.586Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"], "versions": [{"version": "11871aba19748b3387e83a2db6360aa7119e9a1a", "lessThan": "e63265f188ea39dcf5f546770650027528f3bd0f", "status": "affected", "versionType": "git"}, {"version": "11871aba19748b3387e83a2db6360aa7119e9a1a", "lessThan": "305832c53551cfbe6e5b81ca7ee765e60f4fe8e9", "status": "affected", "versionType": "git"}, {"version": "11871aba19748b3387e83a2db6360aa7119e9a1a", "lessThan": "b5dcb41ba891b55157006cac79825c78a32b409e", "status": "affected", "versionType": "git"}, {"version": "11871aba19748b3387e83a2db6360aa7119e9a1a", "lessThan": "7caf90d9ab97951a58d1de85ab7e7d7cca7a4513", "status": "affected", "versionType": "git"}, {"version": "11871aba19748b3387e83a2db6360aa7119e9a1a", "lessThan": "3fd0da4fd8851a7e62d009b7db6c4a05b092bc19", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"], "versions": [{"version": "6.2", "status": "affected"}, {"version": "0", "lessThan": "6.2", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e63265f188ea39dcf5f546770650027528f3bd0f"}, {"url": "https://git.kernel.org/stable/c/305832c53551cfbe6e5b81ca7ee765e60f4fe8e9"}, {"url": "https://git.kernel.org/stable/c/b5dcb41ba891b55157006cac79825c78a32b409e"}, {"url": "https://git.kernel.org/stable/c/7caf90d9ab97951a58d1de85ab7e7d7cca7a4513"}, {"url": "https://git.kernel.org/stable/c/3fd0da4fd8851a7e62d009b7db6c4a05b092bc19"}], "title": "net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6A8AD2A-FCEB-42B6-8B79-66822D8E7C37", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:-:*:*:*:*:*:*", "matchCriteriaId": "3ADCCCEE-143A-4B48-9B2A-0CB97BD385DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure."}], "id": "CVE-2026-31646", "lastModified": "2026-04-27T20:19:01.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-24T15:16:43.967", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/305832c53551cfbe6e5b81ca7ee765e60f4fe8e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3fd0da4fd8851a7e62d009b7db6c4a05b092bc19"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7caf90d9ab97951a58d1de85ab7e7d7cca7a4513"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b5dcb41ba891b55157006cac79825c78a32b409e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e63265f188ea39dcf5f546770650027528f3bd0f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()", "id": "2461533", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461533"}, "csaw": false, "cwe": "CWE-252", "details": ["A flaw was found in the Linux kernel's lan966x network driver. An error in handling the return value from the `page_pool_create()` function can lead to the use of an invalid memory pointer. This improper error handling can cause a kernel oops, resulting in a Denial of Service (DoS) for the affected system."], "name": "CVE-2026-31646", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31646\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31646\nhttps://lore.kernel.org/linux-cve-announce/2026042458-CVE-2026-31646-0187@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11871aba19748b3387e83a2db6360aa7119e9a1a,e63265f188ea39dcf5f546770650027528f3bd0f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11871aba19748b3387e83a2db6360aa7119e9a1a,305832c53551cfbe6e5b81ca7ee765e60f4fe8e9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11871aba19748b3387e83a2db6360aa7119e9a1a,b5dcb41ba891b55157006cac79825c78a32b409e)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11871aba19748b3387e83a2db6360aa7119e9a1a,7caf90d9ab97951a58d1de85ab7e7d7cca7a4513)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[11871aba19748b3387e83a2db6360aa7119e9a1a,3fd0da4fd8851a7e62d009b7db6c4a05b092bc19)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.135,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.82,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.23,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.13,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:49:34.385142+00:00", "value": {"mitigation_remediation": ["Apply a Linux kernel update that includes the lan966x_fdma_rx_alloc_page_pool patch to ensure proper error handling after page_pool_create.", "If a kernel update cannot be applied immediately, consider disabling the lan966x NIC or switching to an alternate network driver to avoid using the vulnerable code.", "Continuously monitor system logs for kernel oops messages and apply the patch as soon as it becomes available to prevent a denial\u2011of\u2011service event."], "summary": {"action": "Patch", "impact": "Denial of Service via kernel crash"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the LAN966X driver are vulnerable. According to the affected platform enumeration, versions 6.2 and all 7.0 release candidates (RC1 through RC7) are impacted until updated with the patch that introduces error handling after page_pool_create. The vulnerability applies to any system running a Linux kernel that includes the LAN966X driver.", "description_and_impact": "The LAN966X network driver contains a flaw where a page pool creation failure is not properly handled. The code uses the error pointer returned by page_pool_create without an IS_ERR check, and later dereferences it during XDP memory setup. This NULL pointer dereference (CWE-476) triggers a kernel oops and a system crash, resulting in denial of service.", "risk_and_exploitability": "The CVSS score of 5.5 reflects a moderate impact mainly in terms of availability. The EPSS score of <1% indicates a very low expected exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is local or privileged access capable of sending malicious network traffic or otherwise triggering the driver\u2019s memory allocation routine. Because the flaw requires a failure of page_pool_create \u2013 an event that is typically associated with low memory conditions \u2013 it is not trivially exploitable, but it can be triggered in constrained environments or by carefully crafted packets. Overall, the risk is moderate but exploitation is unlikely under normal operating conditions."}}}}, "created": "2026-04-27T18:45:11.318534+00:00", "updated": "2026-04-28T14:00:16.491313+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}