CVE-2026-31501

Source
https://cve.org/CVERecord?id=CVE-2026-31501
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31501.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31501
Downstream
Published
2026-04-22T13:54:21.749Z
Modified
2026-07-08T07:32:30.930681094Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path

cppi5hdescgetpsdata() returns a pointer into the CPPI descriptor. In both emacrxpacket() and emacrxpacketzc(), the descriptor is freed via k3cppidescpoolfree() before the psdata pointer is used by emacrxtimestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path.

Defer the descriptor free until after all accesses through the psdata pointer are complete. For emacrxpacket(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emacrxpacketzc(), move the free to the end of the loop body after emacdispatchskbzc() (which calls emacrxtimestamp()) has returned.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31501.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86
Fixed
d5827316debcb677679bb014885d7be92c410e11
Fixed
eb8c426c9803beb171f89d15fea17505eb517714

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31501.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.15.0
Fixed
6.19.11

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31501.json"