CVE-2026-31644
Published: 24 April 2026
Summary
CVE-2026-31644 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-31644 is a use-after-free vulnerability accompanied by a memory leak in the `lan966x_fdma_reload()` function of the Linux kernel's lan966x network driver. The issue arises when the function fails to allocate new RX buffers, causing the restore path to restart DMA operations using old descriptors whose associated pages have already been freed by `lan966x_fdma_rx_free_pages()`. Since `page_pool_put_full_page()` can return these pages to the buddy allocator, the hardware may perform DMA into memory now owned by other kernel subsystems. Additionally, if allocation partially succeeds, the newly created page pool is overwritten without destruction, resulting in a leak.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-416 (Use After Free). It can be exploited by a local attacker with low privileges and no user interaction required, potentially enabling high-impact effects on confidentiality, integrity, and availability through kernel memory corruption via unauthorized DMA access or resource exhaustion from the page pool leak.
Patches addressing CVE-2026-31644 are available in upstream Linux kernel stable branches via the following commits: https://git.kernel.org/stable/c/59c3d55a946cacdb4181600723c20ac4f4c20c84, https://git.kernel.org/stable/c/691082c0b93c13a5e068c0905f673060bddc204e, https://git.kernel.org/stable/c/92a673019943770930e2a8bfd52e1aad47a1fc1f, and https://git.kernel.org/stable/c/9950e9199b3dfdfbde0b8d96ba947d7b11243801. These fixes defer the release of old pages until new allocation succeeds, preserve the old page array for safe freeing on success, maintain valid descriptors and page pool on failure for safe restore, and ensure the restore path re-enables NAPI and wakes the netdev consistent with the success path.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25537
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via…
more
lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF/memory corruption in lan966x driver directly enables exploitation for privilege escalation by low-privileged attackers (kernel arbitrary DMA/write or DoS via page leak).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the use-after-free and memory leak by applying the specific upstream Linux kernel patches that defer old page release until new allocation succeeds.
Vulnerability scanning identifies systems running vulnerable lan966x driver versions affected by CVE-2026-31644, enabling prompt patching.
Kernel memory protection mechanisms like KASLR and hardware-enforced memory isolation limit the impact of DMA into freed pages from the use-after-free.