Description
In the Linux kernel, the following vulnerability has been resolved:

net: bcmgenet: fix off-by-one in bcmgenet_put_txcb

The write_ptr points to the next open tx_cb. We want to return the
tx_cb that gets rewinded, so we must rewind the pointer first then
return the tx_cb that it points to. That way the txcb can be correctly
cleaned up.
Published: 2026-06-24
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel bcmgenet networking driver contained an off‑by‑one error in its transmit control block handling. The write pointer referenced the next available control block, but the driver needed to rewind the pointer before returning the block that would be recycled. Because the pointer was rewound too late, the code returned an unintended control block and failed to clean up the original, which could corrupt kernel memory or lead to a kernel panic. This flaw represents an off‑by‑one pointer error (CWE‑680) that can be exploited through crafted network traffic to cause denial of service or, potentially, privilege escalation.

Affected Systems

The vulnerability affects all Linux kernels that include the bcmgenet module, which is used in many embedded and networking devices. The bug was addressed in the mainline kernel commit referenced in the advisory, but the specific version range is not listed in the data; therefore, any system running an unpatched kernel that compiles bcmgenet is at risk.

Risk and Exploitability

No CVSS or EPSS score was offered, and the vulnerability has not appeared in CISA’s KEV list. Because the defect involves kernel memory manipulation, the attack requires a vector that can drive tx_cb handling – usually by sending specially crafted frames over the bcmgenet interface. The likely attack surface therefore is network traffic directed at the device; an attacker with such access could trigger the off‑by‑one error and cause a crash or memory corruption. Although no public exploits exist, the severity warrants prompt remediation.

Generated by OpenCVE AI on June 24, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fixed bcmgenet_put_txcb implementation.
  • Restrict or filter traffic on the bcmgenet interface to prevent malformed frames from reaching the driver, for example by configuring the device’s firewall or access control lists.
  • Monitor system logs for kernel panics or memory corruption associated with networking devices and apply further patches if needed.

Generated by OpenCVE AI on June 24, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
CWE-680

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: bcmgenet: fix off-by-one in bcmgenet_put_txcb The write_ptr points to the next open tx_cb. We want to return the tx_cb that gets rewinded, so we must rewind the pointer first then return the tx_cb that it points to. That way the txcb can be correctly cleaned up.
Title net: bcmgenet: fix off-by-one in bcmgenet_put_txcb
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:30:27.655Z

Reserved: 2026-06-09T07:44:35.384Z

Link: CVE-2026-53088

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T21:00:11Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-680

    Integer Overflow to Buffer Overflow