Cyber Resilience

CVE-2026-31644

High

Published: 24 April 2026

Published
24 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 3.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31644 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-31644 is a use-after-free vulnerability accompanied by a memory leak in the `lan966x_fdma_reload()` function of the Linux kernel's lan966x network driver. The issue arises when the function fails to allocate new RX buffers, causing the restore path to restart DMA operations using old descriptors whose associated pages have already been freed by `lan966x_fdma_rx_free_pages()`. Since `page_pool_put_full_page()` can return these pages to the buddy allocator, the hardware may perform DMA into memory now owned by other kernel subsystems. Additionally, if allocation partially succeeds, the newly created page pool is overwritten without destruction, resulting in a leak.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416 (Use After Free). It can be exploited by a local attacker with low privileges and no user interaction required, potentially enabling high-impact effects on confidentiality, integrity, and availability through kernel memory corruption via unauthorized DMA access or resource exhaustion from the page pool leak.

Patches addressing CVE-2026-31644 are available in upstream Linux kernel stable branches via the following commits: https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84, https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e, https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f, and https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801. These fixes defer the release of old pages until new allocation succeeds, preserve the old page array for safe freeing on success, maintain valid descriptors and page pool on failure for safe restore, and ensure the restore path re-enables NAPI and wakes the netdev consistent with the success path.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via…

more

lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF/memory corruption in lan966x driver directly enables exploitation for privilege escalation by low-privileged attackers (kernel arbitrary DMA/write or DoS via page leak).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
6.12, 7.0 · 6.12.1 — 6.12.82 · 6.13 — 6.18.23 · 6.19 — 6.19.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free and memory leak by applying the specific upstream Linux kernel patches that defer old page release until new allocation succeeds.

detect

Vulnerability scanning identifies systems running vulnerable lan966x driver versions affected by CVE-2026-31644, enabling prompt patching.

prevent

Kernel memory protection mechanisms like KASLR and hardware-enforced memory isolation limit the impact of DMA into freed pages from the use-after-free.

References