CVE-2026-31649
Published: 24 April 2026
Summary
CVE-2026-31649 is a critical-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Linux Linux Kernel. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SC-51 (Hardware-based Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the integer underflow in stmmac jumbo_frm by applying kernel patches that clamp buf_len and prevent erroneous loop iterations.
Hardware IOMMU protections restrict DMA engine access to authorized memory only, blocking arbitrary kernel memory disclosure and corruption from invalid dma_map_single calls on IOMMU-less SoCs.
Vulnerability scanning tools detect CVE-2026-31649 in Linux kernels, enabling timely prioritization and application of stable backported fixes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit of a kernel network driver processing incoming jumbo frames directly matches exploitation of a public-facing network component for initial access, memory disclosure, and corruption.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB…
more
or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.
Deeper analysisAI
CVE-2026-31649 is an integer underflow vulnerability in the Linux kernel's stmmac network driver, specifically within the jumbo_frm() function operating in chain mode. The issue arises when processing jumbo frames where the linear portion of an skb (nopaged_len) is small (≤ bmax, typically BUF_SIZE_8KiB or BUF_SIZE_2KiB), but the total skb->len exceeds bmax due to page fragments. This leads to an unconditional computation of len = nopaged_len - bmax, causing unsigned integer wraparound and a massive len value, triggering excessive iterations in a while (len != 0) loop.
Any unauthenticated network attacker can exploit this remotely with low complexity, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By sending a crafted packet that meets the jumbo frame criteria but has a minimal linear head and large fragments, the attacker induces the driver to invoke dma_map_single() on pointers far beyond the skb buffer (e.g., skb->data + bmax * i for hundreds of thousands of i values). On IOMMU-less SoCs—common deployments for stmmac—this exposes arbitrary kernel memory to the DMA engine, enabling kernel memory disclosure and potential hardware-induced memory corruption (CWE-190).
The provided kernel stable commit references detail the fix: introduce a buf_len variable clamped to min(nopaged_len, bmax), ensuring len = nopaged_len - buf_len is always safe (zero or positive). This skips the problematic loop when the linear portion fits a single descriptor, allowing the subsequent fragment loop in stmmac_xmit() to handle pages correctly. Security practitioners should apply these backported patches to affected Linux kernel versions using the stable repository updates.
Details
- CWE(s)