CVE-2026-31649

EPSS 0.07%
Veröffentlicht 24.04.2026 14:45:02
Zuletzt bearbeitet 27.04.2026 20:13:49
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

net: stmmac: fix integer underflow in chain mode

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix integer underflow in chain mode

The jumbo_frm() chain-mode implementation unconditionally computes

    len = nopaged_len - bmax;

where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
BUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()
decides to invoke jumbo_frm() based on skb->len (total length including
page fragments):

    is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);

When a packet has a small linear portion (nopaged_len <= bmax) but a
large total length due to page fragments (skb->len > bmax), the
subtraction wraps as an unsigned integer, producing a huge len value
(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute
hundreds of thousands of iterations, passing skb->data + bmax * i
pointers far beyond the skb buffer to dma_map_single().  On IOMMU-less
SoCs (the typical deployment for stmmac), this maps arbitrary kernel
memory to the DMA engine, constituting a kernel memory disclosure and
potential memory corruption from hardware.

Fix this by introducing a buf_len local variable clamped to
min(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then
always safe: it is zero when the linear portion fits within a single
descriptor, causing the while (len != 0) loop to be skipped naturally,
and the fragment loop in stmmac_xmit() handles page fragments afterward.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

NVD 15 VulnDex Vulnerability Enrichment 13

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linux ≫ Linux Kernel Version >= 3.2.1 < 5.10.253

Linux ≫ Linux Kernel Version >= 5.11 < 5.15.203

Linux ≫ Linux Kernel Version >= 5.16 < 6.1.169

Linux ≫ Linux Kernel Version >= 6.2 < 6.6.135

Linux ≫ Linux Kernel Version >= 6.7 < 6.12.82

Linux ≫ Linux Kernel Version >= 6.13 < 6.18.23

Linux ≫ Linux Kernel Version >= 6.19 < 6.19.13

Linux ≫ Linux Kernel Version3.2 Update-

Linux ≫ Linux Kernel Version7.0 Updaterc1

Linux ≫ Linux Kernel Version7.0 Updaterc2

Linux ≫ Linux Kernel Version7.0 Updaterc3

Linux ≫ Linux Kernel Version7.0 Updaterc4

Linux ≫ Linux Kernel Version7.0 Updaterc5

Linux ≫ Linux Kernel Version7.0 Updaterc6

Linux ≫ Linux Kernel Version7.0 Updaterc7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.212

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
416baaa9-dc9f-4396-8d5f-8c081fb06d67	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-190 Integer Overflow or Wraparound

The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48

Patch

https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b

Patch

https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f

Patch

https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef

Patch

https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d

Patch

https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803

Patch