CVE-2026-31505
Published: 22 April 2026
Summary
CVE-2026-31505 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through application of Linux kernel stable patches directly resolves the inconsistent queue count usage causing out-of-bounds writes in the iavf driver.
Vulnerability scanning tools identify the presence of CVE-2026-31505 in affected kernel versions with the iavf driver, enabling prioritization for patching.
Memory protection mechanisms such as non-executable kernel memory and address space randomization limit the impact and exploitability of the out-of-bounds write vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB write in iavf driver directly enables T1068 (Exploitation for Privilege Escalation) via memory corruption leading to root; also enables T1499.004 (Application or System Exploitation) for DoS via kernel panic or crash.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats() iavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the value could change in runtime, we should use num_tx_queues instead. Moreover iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count()…
more
and iavf_get_stat_strings() use real_num_tx_queues, which triggers out-of-bounds writes when we do "ethtool -L" and "ethtool -S" simultaneously [1]. For example when we change channels from 1 to 8, Thread 3 could be scheduled before Thread 2, and out-of-bounds writes could be triggered in Thread 3: Thread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S) iavf_set_channels() ... iavf_alloc_queues() -> num_active_queues = 8 iavf_schedule_finish_config() iavf_get_sset_count() real_num_tx_queues: 1 -> buffer for 1 queue iavf_get_ethtool_stats() num_active_queues: 8 -> out-of-bounds! iavf_finish_config() -> real_num_tx_queues = 8 Use immutable num_tx_queues in all related functions to avoid the issue. [1] BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270 Write of size 8 at addr ffffc900031c9080 by task ethtool/5800 CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6f/0xb0 print_report+0x170/0x4f3 kasan_report+0xe1/0x180 iavf_add_one_ethtool_stat+0x200/0x270 iavf_get_ethtool_stats+0x14c/0x2e0 __dev_ethtool+0x3d0c/0x5830 dev_ethtool+0x12d/0x270 dev_ioctl+0x53c/0xe30 sock_do_ioctl+0x1a9/0x270 sock_ioctl+0x3d4/0x5e0 __x64_sys_ioctl+0x137/0x1c0 do_syscall_64+0xf3/0x690 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7da0e6e36d ... </TASK> The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813a013de0 pfn:0x13a013 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Deeper analysisAI
CVE-2026-31505 is a vulnerability in the Linux kernel's iavf driver, which handles Intel Adaptive Virtual Function Ethernet devices. The issue manifests as out-of-bounds writes in the iavf_get_ethtool_stats() function, triggered by inconsistent queue count usage across related functions. Specifically, iavf_get_ethtool_stats() relies on num_active_queues, while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues. This mismatch, combined with runtime changes to queue counts (e.g., via ethtool -L to adjust channels), can lead to buffer overflows when ethtool -S is executed concurrently, as detected by KASAN in a vmalloc region.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N), targeting systems running affected Linux kernels with the iavf driver loaded. Exploitation involves a race condition during queue reconfiguration: for instance, while one thread changes channels from 1 to 8 via iavf_set_channels(), another thread running ethtool -S may allocate a buffer sized for the old queue count (real_num_tx_queues=1) but write stats for the new count (num_active_queues=8), causing an out-of-bounds write. The CVSS v3.1 base score of 7.8 reflects high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling kernel memory corruption, denial of service, or privilege escalation.
Kernel stable patches address the issue by standardizing on the immutable num_tx_queues across iavf_get_ethtool_stats(), iavf_get_sset_count(), and iavf_get_stat_strings(). Relevant commits include 1f931dee5b726df1940348ec31614d64bac03aa6, bb85741d2dc2be207353a412f51b83697fcbefcf, fdf902bf86a80bf15792a1d20a67a5302498d7f1, and fecacfc95f195b99c71c579a472120d0b4ed65fa, available in the Linux kernel stable repository.
Details
- CWE(s)