Description
In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix integer underflow in chain mode

The jumbo_frm() chain-mode implementation unconditionally computes

len = nopaged_len - bmax;

where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is
BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit()
decides to invoke jumbo_frm() based on skb->len (total length including
page fragments):

is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);

When a packet has a small linear portion (nopaged_len <= bmax) but a
large total length due to page fragments (skb->len > bmax), the
subtraction wraps as an unsigned integer, producing a huge len value
(~0xFFFFxxxx). This causes the while (len != 0) loop to execute
hundreds of thousands of iterations, passing skb->data + bmax * i
pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less
SoCs (the typical deployment for stmmac), this maps arbitrary kernel
memory to the DMA engine, constituting a kernel memory disclosure and
potential memory corruption from hardware.

Fix this by introducing a buf_len local variable clamped to
min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then
always safe: it is zero when the linear portion fits within a single
descriptor, causing the while (len != 0) loop to be skipped naturally,
and the fragment loop in stmmac_xmit() handles page fragments afterward.
Published: 2026-04-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Memory Disclosure
Action: Immediate Patch
AI Analysis

Impact

An integer underflow in the STMMAC network driver’s jumbo frame handling creates an enormous length value that causes the DMA engine to map memory far beyond the intended buffer. This results in a kernel memory disclosure and potentially kernel memory corruption, exposing sensitive data and jeopardizing system integrity. The flaw is related to CWE‑190 (Integer Overflow or Underflow).

Affected Systems

All Linux kernel installations that include the STMMAC driver before the patch, particularly on SoCs that lack an IOMMU. The vulnerability is present in any kernel version up to the most recent stable releases that have not yet incorporated the commit that fixes the underflow.

Risk and Exploitability

With a CVSS score of 9.8, the vulnerability is considered critical. The EPSS score is below 1 %, indicating a low current exploitation probability, but the high impact warrants prompt action. Based on the description, the likely attack vector is sending specially crafted Ethernet frames to the affected interface, allowing an attacker with network access—local or remote—to trigger the underflow and read kernel memory. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 28, 2026 at 13:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the STMMAC patch (commit 10d12b9240ebf…) or apply the vendor‑supplied security update.
  • If a kernel upgrade is not immediately feasible, disable the affected STMMAC network driver or bring the interface down to prevent malicious packet processing until the patch is applied.
  • Enable an IOMMU on the platform, if supported, to restrict DMA mappings and mitigate the risk of memory disclosure.
  • Reboot the system after applying the patch or configuring the workaround so that the driver is reloaded with the fixed code.

Generated by OpenCVE AI on April 28, 2026 at 13:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DLA Debian DLA DLA-4606-1 linux security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CPEs cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important

Fri, 24 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.
Title net: stmmac: fix integer underflow in chain mode
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:12:54.099Z

Reserved: 2026-03-09T15:48:24.128Z

Link: CVE-2026-31649

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T15:16:44.330

Modified: 2026-04-27T20:13:49.587

Link: CVE-2026-31649

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31649 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:00:16Z

Weaknesses