CVE-2026-31501
Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-31501
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-31501.html
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714
Vendor advisory: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 — https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.19.11-1 |
| debian | sid | fixed | 6.19.11-1 |
| debian | trixie | fixed | 0 |
| linux-kernel | affected | 6.19.11 | |
| linux-kernel | 6.15 | affected | |
| linux-kernel | 7.0 | affected | |
References
CWEs
CWE-416
Verify integrity in audit chain (admin only). AS-IS.