Description
In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in
bnxt_async_event_process() uses a firmware-supplied 'type' field
directly as an index into bp->bs_trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion
ring memory that the NIC writes directly to host RAM. A malicious or
compromised NIC can supply any value from 0 to 65535, causing an
out-of-bounds access into kernel heap memory.

The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte
and writes to bs_trace->last_offset and bs_trace->wrapped, leading to
kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT_TRACE_MAX as
DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently
defined firmware trace types (0x0 through 0xc).
Published: 2026-04-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bnxt_en network driver processes asynchronous event completions generated by a Network Interface Card’s firmware. Within the async event completion handler for DBG_BUF_PRODUCER, a 16‑bit "type" field supplied by the firmware is used directly as an index into the kernel array bp->bs_trace[] without any bounds checking. The field can contain any value from 0 to 65535, so an attacker can cause the kernel to write beyond the array boundary, leading to kernel heap corruption or a system crash. The vulnerability does not provide a documented path to arbitrary code execution; it results only in memory corruption or a denial‑of‑service event.

Affected Systems

The issue stems from the bnxt_en driver shipped in the Linux kernel. Any kernel kernel version that included the vulnerable driver before the bounds‑check fix is affected. The specific kernel releases are not enumerated in the CVE data; however, all versions of the Linux kernel that ship the unpatched bnxt_en driver are at risk.

Risk and Exploitability

The CVSS score of 7.1 signals high severity while the EPSS score is below 1%, suggesting a low current exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack requires a NIC capable of writing arbitrary DMA completion data to host memory—i.e., a malicious or compromised firmware. An attacker would supply an out‑of‑range "type" value to trigger the kernel memory corruption or crash. A direct route to arbitrary code execution is not documented in the CVE data.

Generated by OpenCVE AI on May 20, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the bnxt_en driver patch.
  • If a kernel upgrade cannot be performed immediately, temporarily disable the bnxt_en driver or configure the NIC to cease sending debug buffer events.
  • After disabling or updating, reboot the system or reinitialize the driver to enforce the mitigation.

Generated by OpenCVE AI on May 20, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}

Tue, 07 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 03 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-787

Fri, 03 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation. The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory. The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a crash. Fix by adding a bounds check and defining BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).
Title bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:07:52.201Z

Reserved: 2026-03-09T15:48:24.085Z

Link: CVE-2026-31395

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T16:16:37.743

Modified: 2026-05-20T15:07:07.773

Link: CVE-2026-31395

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-31395 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses