Description
In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix oops when split header is enabled

For GMAC4, when split header is enabled, in some rare cases, the
hardware does not fill buf2 of the first descriptor with payload.
Thus we cannot assume buf2 is always fully filled if it is not
the last descriptor. Otherwise, the length of buf2 of the second
descriptor will be calculated wrong and cause an oops:

Unable to handle kernel paging request at virtual address ffff00019246bfc0
...
x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000
Call trace:
dcache_inval_poc+0x28/0x58 (P)
dma_direct_sync_single_for_cpu+0x38/0x6c
__dma_sync_single_for_cpu+0x34/0x6c
stmmac_napi_poll_rx+0x8f0/0xb60
__napi_poll.constprop.0+0x30/0x144
net_rx_action+0x160/0x274
handle_softirqs+0x1b8/0x1fc
...

To fix this, the PL bit-field in RDES3 register is used for all
descriptors, whether it is the last descriptor or not.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Linux kernel’s stmmac driver for GMAC4 surfaces when the split‑header feature is enabled. The hardware may leave the second buffer of the first descriptor uninitialized, yet the driver assumes it is fully populated. This incorrect assumption leads to a miscalculated length for subsequent descriptors and ultimately triggers a kernel oops. The resulting kernel panic is evident from a paging‑request fault trace. The vulnerability therefore manifests as a memory‑corruption‑induced crash that can disrupt kernel operation.

Affected Systems

All installations of the Linux kernel that include the GMAC4 stmmac driver and are configured to use split headers are susceptible. No specific kernel versions are cited, so any build with these components and the split‑header option enabled should be treated as at risk.

Risk and Exploitability

Based on the description, it is inferred that the vulnerability can be triggered by packets sent to the GMAC4 network interface, implying that the attack vector is local to that interface or could be remote if the interface is exposed. This inference derives from the hardware behavior described in the fix, indicating that incorrectly filled descriptor buffers lead to a kernel oops when processing incoming traffic. The impact remains high because the kernel crash constitutes a denial of service. No public exploit has been documented, and the EPSS score is unavailable, so the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, underscoring that it is not yet a known exploited vulnerability.

Generated by OpenCVE AI on May 27, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel release that contains the stmmac driver fix.
  • If a kernel update cannot be applied immediately, disable the split‑header option in the GMAC4 driver configuration to avoid the erroneous code path.
  • Limit or filter traffic to the GMAC4 interface by applying firewall rules or isolating the interface so that untrusted packets cannot reach the vulnerable driver.

Generated by OpenCVE AI on May 27, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-476
CWE-788

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 ... x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc ... To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not.
Title net: stmmac: fix oops when split header is enabled
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:17:56.350Z

Reserved: 2026-05-13T15:03:33.087Z

Link: CVE-2026-45940

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:10.193

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:00:16Z

Weaknesses