CVE-2026-31395 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
bnxt_async_event_process() uses a firmware-supplied 'type' field
directly as an index into bp->bs_trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion
ring memory that the NIC writes directly to host RAM. A malicious or
compromised NIC can supply any value from 0 to 65535, causing an
out-of-bounds access into kernel heap memory.

The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT_TRACE_MAX as
DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
defined firmware trace types (0x0 through 0xc).

Published: 2026-04-03

Score: 7.0 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability involves an out‑of‑bounds access in the bnxt_en driver’s async event handler. A firmware supplied 16‑bit type value is used as an index into a kernel heap array without bounds checking. An attacker controlling the NIC can supply any value from 0 to 65535, which leads to a read/write outside the valid array bounds and corrupts kernel memory or causes a crash. This can allow the adversary to gain arbitrary kernel‑level code execution or denial of service.

Affected Systems

The flaw is present in the Linux kernel, affecting all Linux distributions that include the vulnerable bnxt_en driver in the kernel. No specific kernel version is listed as affected in the bulletin, so any installation of the kernel that has not applied this patch is potentially vulnerable.

Risk and Exploitability

The CVSS score is not provided, but out‑of‑bounds memory corruption in the kernel is typically considered a severe vulnerability. The likelihood of exploitation requires an attacker to control the NIC’s firmware or send crafted packets that cause the firmware to write a malicious type value. If successful, the flaw can lead to kernel crash or arbitrary code execution. The issue is not listed in the CISA KEV catalog, and the EPSS score is unavailable, so the exact exploitation probability is unclear, but the high potential impact warrants immediate remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9`	affected	< 19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8
`84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9`	affected	< b7c7a275447c6d4bf4a36a134682e2e4e20efd4b
`84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9`	affected	< 64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3

Linux

affected

Version	Status	Constraints
`6.13`	affected	—
`0`	unaffected	< 6.13
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8)`	affected	code_commit	—
`[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,b7c7a275447c6d4bf4a36a134682e2e4e20efd4b)`	affected	code_commit	—
`[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.13`	affected	generic	—
`[0,6.13)`	unaffected	generic	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the bnxt_en bounds check patch
If an update is not immediately possible, ensure that the NIC firmware is trusted and not from an unverified source
Avoid using the affected NIC hardware if replacement is not viable until the patch is deployed

Generated by OpenCVE AI on April 3, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8
https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3
https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b
https://lore.kernel.org/linux-cve-announce/2026040325-CVE-2026-31395-8855@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31395
https://www.cve.org/CVERecord?id=CVE-2026-31395

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040325-CVE-2026-31395-8855@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31395 https://www.cve.org/CVERecord?id=CVE-2026-31395
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120 CWE-787

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation. The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory. The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a crash. Fix by adding a bounds check and defining BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).
Title		bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8 https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3 https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:59.590Z

Updated: 2026-04-03T15:15:59.590Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31395

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:37.743

Modified: 2026-04-03T16:16:37.743

Link: CVE-2026-31395

Redhat

Severity : Important

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31395 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:15:31Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object