Impact
A flaw in the Linux kernel bcmgenet driver causes dropped transmit frames to be omitted from the free buffer descriptor pool during queue reclamation, leaking descriptors and gradually exhausting available resources. This leads to a loss of network transmission capability and can ultimately interrupt host connectivity, representing a resource‑exhaustion denial‑of‑service vulnerability (CWE‑772).
Affected Systems
Linux kernel builds that include the bcmgenet driver and have not applied the commits referenced in the advisory are affected. This encompasses any kernel version where bcmgenet was compiled prior to the application of the fix, regardless of vendor or specific distribution.
Risk and Exploitability
The CVSS score is 7.5, indicating high severity, and the EPSS score is less than 1 %, suggesting a low likelihood of exploitation. The vulnerability is not present in CISA’s KEV catalog. Based on the description, the likely attack vector is local, requiring privileged access to interact with the network driver or to generate high traffic volumes to trigger the descriptor leak. No known exploits exist, but the potential for service disruption warrants immediate attention.
OpenCVE Enrichment