CVE-2026-31501
Published: 22 April 2026
Summary
CVE-2026-31501 is a critical-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the use-after-free vulnerability by applying the kernel patch that defers descriptor freeing until after psdata accesses in the RX path.
Provides memory protection mechanisms that directly mitigate exploitation of use-after-free errors like premature descriptor freeing before dereferencing psdata in emac_rx_timestamp().
Enforces secure baseline configuration settings for the Linux kernel to reduce exposure to driver-specific memory safety issues such as this icssg-prueth UAF.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network packet processing in kernel driver directly enables T1190 (public-facing network interface exploitation for initial access/RCE) and T1210 (remote service exploitation); UAF triggers also facilitate T1499.004 (system exploitation for DoS via kernel crash).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free()…
more
before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.
Deeper analysisAI
CVE-2026-31501 is a use-after-free vulnerability (CWE-416) in the Linux kernel's ti: icssg-prueth driver, which handles Texas Instruments ICSSG PRU Ethernet functionality. The issue occurs in the RX path where cppi5_hdesc_get_psdata() returns a pointer into a CPPI descriptor. In emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is dereferenced in emac_rx_timestamp() via psdata[0] and psdata[1]. This results in a use-after-free on every received packet processed through the timestamp path.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low complexity, no privileges or user interaction required. Any unauthenticated attacker able to send network packets to an affected interface can trigger the use-after-free, potentially leading to high-impact confidentiality, integrity, and availability violations such as kernel crashes, data corruption, or arbitrary code execution.
The provided patch commits resolve the issue by deferring the descriptor free until after all psdata accesses complete. In emac_rx_packet(), the free is moved to the requeue label to cover both early-exit and success paths post-access. In emac_rx_packet_zc(), the free is relocated to the end of the loop body after emac_dispatch_skb_zc() (which invokes emac_rx_timestamp()) returns. Security practitioners should apply these upstream kernel fixes to affected systems.
Details
- CWE(s)