{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31644", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.127Z", "datePublished": "2026-04-24T14:44:58.197Z", "dateUpdated": "2026-04-24T14:44:58.197Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-24T14:44:58.197Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix use-after-free and leak in lan966x_fdma_reload()\n\nWhen lan966x_fdma_reload() fails to allocate new RX buffers, the restore\npath restarts DMA using old descriptors whose pages were already freed\nvia lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can\nrelease pages back to the buddy allocator, the hardware may DMA into\nmemory now owned by other kernel subsystems.\n\nAdditionally, on the restore path, the newly created page pool (if\nallocation partially succeeded) is overwritten without being destroyed,\nleaking it.\n\nFix both issues by deferring the release of old pages until after the\nnew allocation succeeds. Save the old page array before the allocation\nso old pages can be freed on the success path. On the failure path, the\nold descriptors, pages and page pool are all still valid, making the\nrestore safe. Also ensure the restore path re-enables NAPI and wakes\nthe netdev, matching the success path."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"], "versions": [{"version": "89ba464fcf548d64bc7215dfe769f791330ae8b6", "lessThan": "691082c0b93c13a5e068c0905f673060bddc204e", "status": "affected", "versionType": "git"}, {"version": "89ba464fcf548d64bc7215dfe769f791330ae8b6", "lessThan": "92a673019943770930e2a8bfd52e1aad47a1fc1f", "status": "affected", "versionType": "git"}, {"version": "89ba464fcf548d64bc7215dfe769f791330ae8b6", "lessThan": "9950e9199b3dfdfbde0b8d96ba947d7b11243801", "status": "affected", "versionType": "git"}, {"version": "89ba464fcf548d64bc7215dfe769f791330ae8b6", "lessThan": "59c3d55a946cacdb4181600723c20ac4f4c20c84", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"], "versions": [{"version": "6.12", "status": "affected"}, {"version": "0", "lessThan": "6.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.82", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.23", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.13", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.12.82"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.18.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "6.19.13"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e"}, {"url": "https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f"}, {"url": "https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801"}, {"url": "https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84"}], "title": "net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix use-after-free and leak in lan966x_fdma_reload()\n\nWhen lan966x_fdma_reload() fails to allocate new RX buffers, the restore\npath restarts DMA using old descriptors whose pages were already freed\nvia lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can\nrelease pages back to the buddy allocator, the hardware may DMA into\nmemory now owned by other kernel subsystems.\n\nAdditionally, on the restore path, the newly created page pool (if\nallocation partially succeeded) is overwritten without being destroyed,\nleaking it.\n\nFix both issues by deferring the release of old pages until after the\nnew allocation succeeds. Save the old page array before the allocation\nso old pages can be freed on the success path. On the failure path, the\nold descriptors, pages and page pool are all still valid, making the\nrestore safe. Also ensure the restore path re-enables NAPI and wakes\nthe netdev, matching the success path."}], "id": "CVE-2026-31644", "lastModified": "2026-04-24T17:51:40.810", "metrics": {}, "published": "2026-04-24T15:16:43.770", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{}

{}