Description
In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path

cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.
In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is
freed via k3_cppi_desc_pool_free() before the psdata pointer is used
by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].
This constitutes a use-after-free on every received packet that goes
through the timestamp path.

Defer the descriptor free until after all accesses through the psdata
pointer are complete. For emac_rx_packet(), move the free into the
requeue label so both early-exit and success paths free the descriptor
after all accesses are done. For emac_rx_packet_zc(), move the free to
the end of the loop body after emac_dispatch_skb_zc() (which calls
emac_rx_timestamp()) has returned.
Published: 2026-04-22
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free in the Linux kernel TI ICSSG PRU Ethernet driver. When a descriptor pointer returned by cppi5_hdesc_get_psdata() is freed before the timestamp handling code dereferences it, the driver triggers a use‑after‑free on every packet that enables timestamping. The resulting memory corruption can cause a kernel crash, but the CVE description does not mention any capability for arbitrary code execution.

Affected Systems

The flaw is present in the Linux kernel’s TI ICSSG PRU Ethernet driver (net:ti:icssg-prueth). All distributions that ship a kernel compiled with this driver enabled are affected. The CPE data indicates that the issue exists in all kernel versions before the fix, so administrators should upgrade to the latest stable kernel release that incorporates the patch.

Risk and Exploitability

The CVSS score of 9.8 classifies this flaw as critical, while the EPSS score of less than 1% suggests a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. It can be triggered by any packet processed by the driver when timestamping is performed, so a threat actor could potentially send crafted network traffic to reproduce the use‑after‑free and destabilize the system. The documented impact is memory corruption and possible system crash; no evidence of privilege escalation or code execution is provided.

Generated by OpenCVE AI on April 29, 2026 at 00:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the patch for the TI ICSSG PRU Ethernet driver.
  • Reboot the system so the upgraded kernel and driver are loaded.
  • If the TI ICSSG PRU Ethernet driver is not required for your environment, consider disabling or removing it until a patch is available.
  • As a temporary measure, disable packet timestamping on the affected interface to avoid the use‑after‑free path.

Generated by OpenCVE AI on April 29, 2026 at 00:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.
Title net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:57.815Z

Reserved: 2026-03-09T15:48:24.104Z

Link: CVE-2026-31501

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:48.597

Modified: 2026-04-28T13:50:58.170

Link: CVE-2026-31501

cve-icon Redhat

Severity :

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31501 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:15:43Z

Weaknesses