Cyber Resilience

CVE-2026-31494

High

Published: 22 April 2026

Published
22 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31494 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31494 is an out-of-bounds write vulnerability in the Linux kernel's macb (Media Access Controller for Broadband) driver, specifically in the GEM Ethernet controller implementation. The issue arises from a mismatch in memory handling: the gem_get_sset_count() function correctly calculates statistics based on active queues, but gem_get_ethtool_stats() copies data using the maximum number of queues (MACB_MAX_QUEUES). When fewer queues are active, this leads to an out-of-bounds write beyond the allocated vmalloc region, as detected by KASAN on hardware like Raspberry Pi. The vulnerability is classified under CWE-787 with a CVSS v3.1 base score of 7.8.

A local attacker with low privileges can exploit this vulnerability by running the ethtool utility on a network interface using the affected macb driver, triggering the dev_ethtool ioctl path. This results in a kernel memory corruption via the oversized memcpy in gem_get_ethtool_stats, potentially allowing arbitrary code execution, data tampering, or denial of service. The attack requires local access and low privileges (PR:L), with low complexity (AC:L) and no user interaction (UI:N), confined to the local scope (S:U), but enabling high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).

Mitigation involves applying upstream kernel patches from the stable repository, such as commits 240c5302eed83e34e98db18f6795ee5f40814024, 72d96e4e24bbefdcfbc68bdb9341a05d8f5cb6e5, 7ff87da099210856cbfe2f2f7f52ddfa57af4f0c, 95246341945163ad9a250a87ca5bd1c1252777ae, and 9596759a84e1dbf2670518d85e969208960041f9. These fixes ensure the copied data size matches the active queue count, preventing the out-of-bounds write. Systems using affected macb hardware should update to a patched kernel version as soon as available.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: macb: use the current queue number for stats There's a potential mismatch between the memory reserved for statistics and the amount of memory written. gem_get_sset_count() correctly computes the number…

more

of stats based on the active queues, whereas gem_get_ethtool_stats() indiscriminately copies data using the maximum number of queues, and in the case the number of active queues is less than MACB_MAX_QUEUES, this results in a OOB write as observed in the KASAN splat. ================================================================== BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78 [macb] Write of size 760 at addr ffff80008080b000 by task ethtool/1027 CPU: [...] Tainted: [E]=UNSIGNED_MODULE Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025 Call trace: show_stack+0x20/0x38 (C) dump_stack_lvl+0x80/0xf8 print_report+0x384/0x5e0 kasan_report+0xa0/0xf0 kasan_check_range+0xe8/0x190 __asan_memcpy+0x54/0x98 gem_get_ethtool_stats+0x54/0x78 [macb 926c13f3af83b0c6fe64badb21ec87d5e93fcf65] dev_ethtool+0x1220/0x38c0 dev_ioctl+0x4ac/0xca8 sock_do_ioctl+0x170/0x1d8 sock_ioctl+0x484/0x5d8 __arm64_sys_ioctl+0x12c/0x1b8 invoke_syscall+0xd4/0x258 el0_svc_common.constprop.0+0xb4/0x240 do_el0_svc+0x48/0x68 el0_svc+0x40/0xf8 el0t_64_sync_handler+0xa0/0xe8 el0t_64_sync+0x1b0/0x1b8 The buggy address belongs to a 1-page vmalloc region starting at 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff00000a333000 pfn:0xa333 flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff) raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== Fix it by making sure the copied size only considers the active number of queues.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local out-of-bounds write in kernel driver (macb) triggered via ethtool ioctl enables direct kernel memory corruption and arbitrary code execution from low-privileged context, mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71137Same product: Linux Linux Kernel
CVE-2026-31772Same product: Linux Linux Kernel
CVE-2026-23378Same product: Linux Linux Kernel
CVE-2025-21735Same product: Linux Linux Kernel
CVE-2025-21650Same product: Linux Linux Kernel
CVE-2024-52319Same product: Linux Linux Kernel
CVE-2024-58003Same product: Linux Linux Kernel
CVE-2026-23343Same product: Linux Linux Kernel
CVE-2026-23092Same product: Linux Linux Kernel
CVE-2026-43500Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
4.16, 7.0 · 4.16.1 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.168

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and patching of the out-of-bounds write flaw in the Linux kernel's macb GEM driver as evidenced by upstream commits.

prevent

Implements kernel memory protections such as KASLR, SMEP/SMAP, and guard pages that mitigate exploitation of the vmalloc out-of-bounds write triggered by ethtool.

detect

Conducts vulnerability scanning to identify the presence of CVE-2026-31494 in affected kernel versions using the macb driver, enabling remediation.

References