CVE-2026-31494
Published: 22 April 2026
Summary
CVE-2026-31494 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31494 is an out-of-bounds write vulnerability in the Linux kernel's macb (Media Access Controller for Broadband) driver, specifically in the GEM Ethernet controller implementation. The issue arises from a mismatch in memory handling: the gem_get_sset_count() function correctly calculates statistics based on active queues, but gem_get_ethtool_stats() copies data using the maximum number of queues (MACB_MAX_QUEUES). When fewer queues are active, this leads to an out-of-bounds write beyond the allocated vmalloc region, as detected by KASAN on hardware like Raspberry Pi. The vulnerability is classified under CWE-787 with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges can exploit this vulnerability by running the ethtool utility on a network interface using the affected macb driver, triggering the dev_ethtool ioctl path. This results in a kernel memory corruption via the oversized memcpy in gem_get_ethtool_stats, potentially allowing arbitrary code execution, data tampering, or denial of service. The attack requires local access and low privileges (PR:L), with low complexity (AC:L) and no user interaction (UI:N), confined to the local scope (S:U), but enabling high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
Mitigation involves applying upstream kernel patches from the stable repository, such as commits 240c5302eed83e34e98db18f6795ee5f40814024, 72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5, 7ff87da099210856cbfe2f2f7f52ddfa57af4f0c, 95246341945163ad9a250a87ca5bd1c1252777ae, and 9596759a84e1dbf2670518d85e969208960041f9. These fixes ensure the copied data size matches the active queue count, preventing the out-of-bounds write. Systems using affected macb hardware should update to a patched kernel version as soon as available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24864
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number…
more
of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write as observed in the KASAN splat. ================================================================== BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb] Write of size 760 at addr ffff80008080b000 by task ethtool/1027 CPU: [...] Tainted: [E]=UNSIGNED_MODULE Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333 flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff) raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Fix it by making sure the copied size only considers the active number of queues.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local out-of-bounds write in kernel driver (macb) triggered via ethtool ioctl enables direct kernel memory corruption and arbitrary code execution from low-privileged context, mapping to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and patching of the out-of-bounds write flaw in the Linux kernel's macb GEM driver as evidenced by upstream commits.
Implements kernel memory protections such as KASLR, SMEP/SMAP, and guard pages that mitigate exploitation of the vmalloc out-of-bounds write triggered by ethtool.
Conducts vulnerability scanning to identify the presence of CVE-2026-31494 in affected kernel versions using the macb driver, enabling remediation.