CVE-2026-45940 - Vulnerability Details

- net: stmmac: fix oops when split header is enabled

Description

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix oops when split header is enabled

For GMAC4, when split header is enabled, in some rare cases, the
hardware does not fill buf2 of the first descriptor with payload.
Thus we cannot assume buf2 is always fully filled if it is not
the last descriptor. Otherwise, the length of buf2 of the second
descriptor will be calculated wrong and cause an oops:

Unable to handle kernel paging request at virtual address ffff00019246bfc0
...
x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000
Call trace:
dcache_inval_poc+0x28/0x58 (P)
dma_direct_sync_single_for_cpu+0x38/0x6c
__dma_sync_single_for_cpu+0x34/0x6c
stmmac_napi_poll_rx+0x8f0/0xb60
__napi_poll.constprop.0+0x30/0x144
net_rx_action+0x160/0x274
handle_softirqs+0x1b8/0x1fc
...

To fix this, the PL bit-field in RDES3 register is used for all
descriptors, whether it is the last descriptor or not.

Published: 2026-05-27

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A bug in the Linux kernel’s stmmac driver for the GMAC4 network interface causes a kernel crash when the split‑header feature is enabled. The hardware sometimes leaves the second buffer of the first receive descriptor uninitialized, yet the driver assumes it is fully populated. This incorrect assumption results in a wrong length calculation for the following descriptor, which ultimately triggers a kernel oops and leads to a panic. The crash demonstrates a memory‑corruption fault that can interrupt system operation.

Affected Systems

All Linux kernel installations that incorporate the GMAC4 stmmac driver and are built with the split‑header option enabled are affected. The precise kernel versions are not enumerated, so any build containing these components is potentially at risk.

Risk and Exploitability

Based on the description, the fault is triggered when the kernel processes incoming packets on the GMAC4 interface, implying that a malicious packet could be sent to that interface to exploit the flaw. The ongoing risk is considered low because the EPSS score is under 1% and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the impact remains high: a single kernel crash can cause a full system reboot or loss of service, representing a denial of service attack surface for affected hosts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`ec222003bd948de8f3ffbca522d328af1a8452ad`	affected	< b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609
`ec222003bd948de8f3ffbca522d328af1a8452ad`	affected	< 36f81cb7d82e9614a7058da6abdf2e3a03993df1
`ec222003bd948de8f3ffbca522d328af1a8452ad`	affected	< babab1b42ed68877ef669a08384becf281ad2582

Linux

affected

Version	Status	Constraints
`5.4`	affected	—
`0`	unaffected	< 5.4
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[ec222003bd948de8f3ffbca522d328af1a8452ad,b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609)`	affected	code_commit	—
`[ec222003bd948de8f3ffbca522d328af1a8452ad,36f81cb7d82e9614a7058da6abdf2e3a03993df1)`	affected	code_commit	—
`[ec222003bd948de8f3ffbca522d328af1a8452ad,babab1b42ed68877ef669a08384becf281ad2582)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.4`	affected	generic	—
`[0,5.4)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that contains the stmmac driver fix.
If a kernel update cannot be applied immediately, disable the split‑header option in the GMAC4 driver configuration to avoid the erroneous code path.
Limit or filter traffic to the GMAC4 interface by applying firewall rules or isolating the interface so that untrusted packets cannot reach the vulnerable driver.

Generated by OpenCVE AI on May 28, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00198.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/36f81cb7d82e9614a7058da6abdf2e3a03993df1
https://git.kernel.org/stable/c/b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609
https://git.kernel.org/stable/c/babab1b42ed68877ef669a08384becf281ad2582
https://lore.kernel.org/linux-cve-announce/2026052729-CVE-2026-45940-4159@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-45940
https://www.cve.org/CVERecord?id=CVE-2026-45940

History

Thu, 28 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-120 CWE-476 CWE-788

Thu, 28 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-805
References		https://lore.kernel.org/linux-cve-announce/2026052729-CVE-2026-45940-4159@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-45940 https://www.cve.org/CVERecord?id=CVE-2026-45940

Wed, 27 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120 CWE-476 CWE-788

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 ... x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc ... To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not.
Title		net: stmmac: fix oops when split header is enabled
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/36f81cb7d82e9614a7058da6abdf2e3a03993df1 https://git.kernel.org/stable/c/b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609 https://git.kernel.org/stable/c/babab1b42ed68877ef669a08384becf281ad2582

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:17:56.350Z

Updated: 2026-05-27T12:17:56.350Z

Reserved: 2026-05-13T15:03:33.087Z

Link: CVE-2026-45940

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:10.193

Modified: 2026-06-17T10:52:45.860

Link: CVE-2026-45940

Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45940 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-28T17:15:21Z

Weaknesses

CWE-805
Buffer Access with Incorrect Length Value

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object