{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31649", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.128Z", "datePublished": "2026-04-24T14:45:02.520Z", "dateUpdated": "2026-05-11T22:12:54.099Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:12:54.099Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb->len (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len <= bmax) but a\nlarge total length due to page fragments (skb->len > bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb->data + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/stmicro/stmmac/chain_mode.c"], "versions": [{"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "513e06735f5be575b409d195822195348b164e48", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "275bdf762e82082f064e60a92448fa2ac43cf95b", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "b7b8012193fd98236d7ae05d4b553f010a77b2ef", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "2c91b39912278d0878f9ba60ba04d2518b18a08d", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "6fca757c20396dc2e604dcc61922264e9e3dc803", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb", "status": "affected", "versionType": "git"}, {"version": "286a837217204b1ef105e3a554d0757e4fdfaac1", "lessThan": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/stmicro/stmmac/chain_mode.c"], "versions": [{"version": "3.2", "status": "affected"}, {"version": "0", "lessThan": "3.2", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.253", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.203", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.169", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.135", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.10.253"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "5.15.203"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.1.169"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.6.135"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"}, {"url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"}, {"url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"}, {"url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"}, {"url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"}, {"url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"}, {"url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"}, {"url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"}], "title": "net: stmmac: fix integer underflow in chain mode", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A8136AA8-F2F0-4960-9AAF-176AC6ACEA92", "versionEndExcluding": "5.10.253", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045", "versionEndExcluding": "5.15.203", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451", "versionEndExcluding": "6.1.169", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39", "versionEndExcluding": "6.6.135", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307", "versionEndExcluding": "6.12.82", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F", "versionEndExcluding": "6.18.23", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4", "versionEndExcluding": "6.19.13", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*", "matchCriteriaId": "2BEBAC7C-43AE-4D02-A957-26F89F27E0AC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb->len (total length including\npage fragments):\n\n is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len <= bmax) but a\nlarge total length due to page fragments (skb->len > bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx). This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb->data + bmax * i\npointers far beyond the skb buffer to dma_map_single(). On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."}], "id": "CVE-2026-31649", "lastModified": "2026-04-27T20:13:49.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-04-24T15:16:44.330", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: net: stmmac: fix integer underflow in chain mode", "id": "2461551", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2461551"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-191", "details": ["A flaw was found in the Linux kernel's stmmac network driver. An integer underflow vulnerability in the `jumbo_frm()` function, when processing specially crafted fragmented network packets, can lead to a memory disclosure and potential memory corruption. This issue allows an attacker to read arbitrary kernel memory and potentially corrupt it, impacting the system's integrity and confidentiality."], "name": "CVE-2026-31649", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-31649\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31649\nhttps://lore.kernel.org/linux-cve-announce/2026042459-CVE-2026-31649-b45c@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,513e06735f5be575b409d195822195348b164e48)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,275bdf762e82082f064e60a92448fa2ac43cf95b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,b7b8012193fd98236d7ae05d4b553f010a77b2ef)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,2c91b39912278d087f9ba60ba04d2518b18a08d)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,6fca757c20396dc2e604dcc61922264e9e3dc803)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,10d12b9240ebf96c785f0e2e4228318cd5f3a3eb)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[286a837217204b1ef105e3a554d0757e4fdfaac1,51f4e090b9f87b40c21b6daadb5c06e6c0a07b67)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.2"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,3.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.10.253,5.10.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[5.15.203,5.15.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.1.169,6.1.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.6.135,6.6.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.12.82,6.12.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.18.23,6.18.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19.13,6.19.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T13:48:29.664357+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the STMMAC patch (commit 10d12b9240ebf\u2026) or apply the vendor\u2011supplied security update.", "If a kernel upgrade is not immediately feasible, disable the affected STMMAC network driver or bring the interface down to prevent malicious packet processing until the patch is applied.", "Enable an IOMMU on the platform, if supported, to restrict DMA mappings and mitigate the risk of memory disclosure.", "Reboot the system after applying the patch or configuring the workaround so that the driver is reloaded with the fixed code."], "summary": {"action": "Immediate Patch", "impact": "Kernel Memory Disclosure"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the STMMAC driver before the patch, particularly on SoCs that lack an IOMMU. The vulnerability is present in any kernel version up to the most recent stable releases that have not yet incorporated the commit that fixes the underflow.", "description_and_impact": "An integer underflow in the STMMAC network driver\u2019s jumbo frame handling creates an enormous length value that causes the DMA engine to map memory far beyond the intended buffer. This results in a kernel memory disclosure and potentially kernel memory corruption, exposing sensitive data and jeopardizing system integrity. The flaw is related to CWE\u2011190 (Integer Overflow or Underflow).", "risk_and_exploitability": "With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is below 1\u202f%, indicating a low current exploitation probability, but the high impact warrants prompt action. Based on the description, the likely attack vector is sending specially crafted Ethernet frames to the affected interface, allowing an attacker with network access\u2014local or remote\u2014to trigger the underflow and read kernel memory. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-28T03:15:05.354149+00:00", "updated": "2026-04-28T14:00:16.490324+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}