Description
In the Linux kernel, the following vulnerability has been resolved:

net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()

When lan966x_fdma_reload() fails to allocate new RX buffers, the restore
path restarts DMA using old descriptors whose pages were already freed
via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can
release pages back to the buddy allocator, the hardware may DMA into
memory now owned by other kernel subsystems.

Additionally, on the restore path, the newly created page pool (if
allocation partially succeeded) is overwritten without being destroyed,
leaking it.

Fix both issues by deferring the release of old pages until after the
new allocation succeeds. Save the old page array before the allocation
so old pages can be freed on the success path. On the failure path, the
old descriptors, pages and page pool are all still valid, making the
restore safe. Also ensure the restore path re-enables NAPI and wakes
the netdev, matching the success path.
Published: 2026-04-24
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑After‑Free memory corruption allowing DMA into memory owned by other subsystems, potentially enabling arbitrary code execution or privilege escalation
Action: Immediate Patch
AI Analysis

Impact

The lan966x network driver contains a use‑after‑free and memory leak triggered when lan966x_fdma_reload() fails to allocate new receive buffers. The driver attempts to restart DMA with descriptors whose pages have already been freed, exposing the system to DMA writes into memory no longer under its control. This flaw is a form of memory corruption (CWE-416) that can overwrite kernel data structures, and the leaked page pool can further expose kernel memory for manipulation.

Affected Systems

All Linux kernel releases that ship the lan966x driver, including kernel 6.12 and the 7.0 release candidates up to rc7. Any system using a network interface based on the lan966x hardware is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.8, indicating high severity. The EPSS score is below 1 %, suggesting very low probability of exploitation in the wild. The bug is not listed in the CISA KEV catalog, and exploitation would likely require an attacker with local privileged or kernel access to trigger the DMA reload and map the freed pages into the target's address space. Overall, the attack surface is narrow, but the impact is severe should the flaw be leveraged.

Generated by OpenCVE AI on April 28, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that defers release of old pages until the new allocation succeeds and restores safe DMA behavior, such as updating to Linux kernel 6.12.1 or newer 7.0 releases that contain the fix.
  • If an immediate kernel upgrade is not possible, remove or disable the lan966x driver or disable the network interface that uses the FDMA reload path to prevent the flaw from being triggered.
  • Ensure that any custom builds or modules for lan966x incorporate the same logic changes—saving the old page array before allocation and freeing it only on successful re‑initialization—to eliminate the use‑after‑free and memory leak.

Generated by OpenCVE AI on April 28, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6238-1 linux security update
History

Mon, 27 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.
Title net: lan966x: fix use-after-free and leak in lan966x_fdma_reload()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:48.146Z

Reserved: 2026-03-09T15:48:24.127Z

Link: CVE-2026-31644

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:43.770

Modified: 2026-04-27T20:19:21.583

Link: CVE-2026-31644

cve-icon Redhat

Severity :

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31644 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses