CVE-2026-31501 | In the Linux kernel, the following vulnerability has been re… | CVSS 9.8 CRITICAL

Description

In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.

Metadata

CVE ID: CVE-2026-31501
State: PUBLISHED
Assigner: Linux
Reserved: 2026-03-09 15:48 UTC
Published: 2026-04-22 13:54 UTC
Last updated: 2026-05-11 22:09 UTC
Vendor / Product: Linux / Linux
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products (2)

Vendor	Product	Platform	Versions
Linux	Linux	—	46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 < d5827316debcb677679bb014885d7be92c410e11, 46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 < eb8c426c9803beb171f89d15fea17505eb517714
Linux	Linux	—	6.15, 0 < 6.15, 6.19.11 ≤ 6.19., 7.0 ≤

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)