Bug 2460697 (CVE-2026-31501) - CVE-2026-31501 kernel: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
Summary: CVE-2026-31501 kernel: net: ti: icssg-prueth: fix use-after-free of CPPI desc...
Keywords:
Status: NEW
Alias: CVE-2026-31501
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-22 15:06 UTC by OSIDB Bzimport
Modified: 2026-04-22 19:28 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-22 15:06:04 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path

cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.
In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is
freed via k3_cppi_desc_pool_free() before the psdata pointer is used
by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].
This constitutes a use-after-free on every received packet that goes
through the timestamp path.

Defer the descriptor free until after all accesses through the psdata
pointer are complete. For emac_rx_packet(), move the free into the
requeue label so both early-exit and success paths free the descriptor
after all accesses are done. For emac_rx_packet_zc(), move the free to
the end of the loop body after emac_dispatch_skb_zc() (which calls
emac_rx_timestamp()) has returned.
Comment 1 Keith Grant 2026-04-22 19:26:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026042205-CVE-2026-31501-113b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.