CVE-2026-43031 - Vulnerability Details

- net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets

Description

In the Linux kernel, the following vulnerability has been resolved:

net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets

When a TX packet spans multiple buffer descriptors (scatter-gather),
axienet_free_tx_chain sums the per-BD actual length from descriptor
status into a caller-provided accumulator. That sum is reset on each
NAPI poll. If the BDs for a single packet complete across different
polls, the earlier bytes are lost and never credited to BQL. This
causes BQL to think bytes are permanently in-flight, eventually
stalling the TX queue.

The SKB pointer is stored only on the last BD of a packet. When that
BD completes, use skb->len for the byte count instead of summing
per-BD status lengths. This matches netdev_sent_queue(), which debits
skb->len, and naturally survives across polls because no partial
packet contributes to the accumulator.

Published: 2026-05-01

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the Xilinx AXI Ethernet driver prevents accurate accounting of transmitted data when packets span multiple buffer descriptors. The driver sums per‑BD lengths but discards partial sums when a packet completes over multiple NAPI polls, causing the earlier bytes to be lost from the Byte Queue Limits (BQL) tracker. This misreporting makes the kernel believe the interface still has bytes in flight, leading the TX queue to appear permanently full and eventually stall further transmissions.

Affected Systems

Linux kernels that include the Xilinx AXI Ethernet driver before the CVE fix. The bug applies to devices using this driver in any environment where the driver is compiled into the kernel; there are no specific version constraints listed, so it is prudent to consider all kernels up to the commit that implements the fix as potentially affected.

Risk and Exploitability

The flaw results in a denial of service condition: a system or application that generates high rates of outbound traffic over the AXI Ethernet interface can trigger the BQL miscount and cause the TX queue to block, degrading network performance or halting traffic. No remote exploit is required; the effect occurs by sending ordinary network packets. The EPSS score is unavailable, and the vulnerability is not listed in CISA KEV, suggesting limited awareness, but the intrinsic severity of a sustained TX queue stall warrants careful attention. The CVSS score is not provided, but the operational impact and required packet load imply a high likelihood of exploitation in environments where the driver is in use.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c900e49d58eb32b192b6d200ace4ae3ab89779d4`	affected	< 2a0323a913109b52bfc9f5ea7b92a1b249e07d3e
`c900e49d58eb32b192b6d200ace4ae3ab89779d4`	affected	< 3c3a6b9020c01fde7b22e8550105de0b59904f61
`c900e49d58eb32b192b6d200ace4ae3ab89779d4`	affected	< d1978d03e86785872871bff9c2623174b10740de

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.22`	unaffected	≤ 6.18.*
`6.19.12`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c900e49d58eb32b192b6d200ace4ae3ab89779d4,2a0323a913109b52bfc9f5ea7b92a1b249e07d3e)`	affected	code_commit	—
`[c900e49d58eb32b192b6d200ace4ae3ab89779d4,3c3a6b9020c01fde7b22e8550105de0b59904f61)`	affected	code_commit	—
`[c900e49d58eb32b192b6d200ace4ae3ab89779d4,d1978d03e86785872871bff9c2623174b10740de)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	generic	—
`[6.18.22,6.19.0)`	unaffected	semver	—
`[6.19.12,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the Xilinx AXI Ethernet driver fix or apply the patch from the referenced commit.
If an immediate kernel update is not possible, limit high‑rate outbound traffic through traffic shaping or rate‑limiting to prevent the BQL counter from being overwhelmed.
If the AXI Ethernet driver is not essential for your system, disable it or replace the device with a different NIC that does not rely on multi‑BD packet handling.

Generated by OpenCVE AI on May 2, 2026 at 07:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2a0323a913109b52bfc9f5ea7b92a1b249e07d3e
https://git.kernel.org/stable/c/3c3a6b9020c01fde7b22e8550105de0b59904f61
https://git.kernel.org/stable/c/d1978d03e86785872871bff9c2623174b10740de
https://lore.kernel.org/linux-cve-announce/2026050101-CVE-2026-43031-f267@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43031
https://www.cve.org/CVERecord?id=CVE-2026-43031

History

Sat, 02 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-911
References		https://lore.kernel.org/linux-cve-announce/2026050101-CVE-2026-43031-f267@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43031 https://www.cve.org/CVERecord?id=CVE-2026-43031

Fri, 01 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-749

Fri, 01 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue. The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.
Title		net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2a0323a913109b52bfc9f5ea7b92a1b249e07d3e https://git.kernel.org/stable/c/3c3a6b9020c01fde7b22e8550105de0b59904f61 https://git.kernel.org/stable/c/d1978d03e86785872871bff9c2623174b10740de

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-01T14:15:31.256Z

Updated: 2026-05-01T14:15:31.256Z

Reserved: 2026-05-01T14:12:55.977Z

Link: CVE-2026-43031

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-01T15:16:47.680

Modified: 2026-05-01T15:24:14.893

Link: CVE-2026-43031

Redhat

Severity :

Publid Date: 2026-05-01T00:00:00Z

Links: CVE-2026-43031 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-02T07:15:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object