{ "threat_severity" : "Moderate", "public_date" : "2026-04-03T00:00:00Z", "bugzilla" : { "description" : "kernel: net: macb: fix use-after-free access to PTP clock", "id" : "2454865", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454865" }, "cwe" : "CWE-825", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: macb: fix use-after-free access to PTP clock\nPTP clock is registered on every opening of the interface and destroyed on\nevery closing. However it may be accessed via get_ts_info ethtool call\nwhich is possible while the interface is just present in the kernel.\nBUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\nRead of size 4 at addr ffff8880194345cc by task syz.0.6/948\nCPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0x8d/0xba lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:316 [inline]\nprint_report+0x17f/0x496 mm/kasan/report.c:420\nkasan_report+0xd9/0x180 mm/kasan/report.c:524\nptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426\ngem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349\nmacb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371\n__ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558\nethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]\n__dev_ethtool net/ethtool/ioctl.c:3017 [inline]\ndev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095\ndev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510\nsock_do_ioctl+0x20d/0x2c0 net/socket.c:1215\nsock_ioctl+0x577/0x6d0 net/socket.c:1320\nvfs_ioctl fs/ioctl.c:51 [inline]\n__do_sys_ioctl fs/ioctl.c:870 [inline]\n__se_sys_ioctl fs/ioctl.c:856 [inline]\n__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856\ndo_syscall_x64 arch/x86/entry/common.c:46 [inline]\ndo_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\n\nAllocated by task 457:\nkmalloc include/linux/slab.h:563 [inline]\nkzalloc include/linux/slab.h:699 [inline]\nptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235\ngem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375\nmacb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920\n__dev_open+0x2ce/0x500 net/core/dev.c:1501\n__dev_change_flags+0x56a/0x740 net/core/dev.c:8651\ndev_change_flags+0x92/0x170 net/core/dev.c:8722\ndo_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833\n__rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608\nrtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655\nrtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150\nnetlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511\nnetlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]\nnetlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344\nnetlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872\nsock_sendmsg_nosec net/socket.c:718 [inline]\n__sock_sendmsg+0x14b/0x180 net/socket.c:730\n__sys_sendto+0x320/0x3b0 net/socket.c:2152\n__do_sys_sendto net/socket.c:2164 [inline]\n__se_sys_sendto net/socket.c:2160 [inline]\n__x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160\ndo_syscall_x64 arch/x86/entry/common.c:46 [inline]\ndo_syscall_64+0x35/0x80 arch/x86/entry/common.c:76\nentry_SYSCALL_64_after_hwframe+0x6e/0xd8\nFreed by task 938:\nkasan_slab_free include/linux/kasan.h:177 [inline]\nslab_free_hook mm/slub.c:1729 [inline]\nslab_free_freelist_hook mm/slub.c:1755 [inline]\nslab_free mm/slub.c:3687 [inline]\n__kmem_cache_free+0xbc/0x320 mm/slub.c:3700\ndevice_release+0xa0/0x240 drivers/base/core.c:2507\nkobject_cleanup lib/kobject.c:681 [inline]\nkobject_release lib/kobject.c:712 [inline]\nkref_put include/linux/kref.h:65 [inline]\nkobject_put+0x1cd/0x350 lib/kobject.c:729\nput_device+0x1b/0x30 drivers/base/core.c:3805\nptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391\ngem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404\nmacb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966\n__dev_close_many+0x1b9/0x310 net/core/dev.c:1585\n__dev_close net/core/dev.c:1597 [inline]\n__dev_change_flags+0x2bb/0x740 net/core/dev.c:8649\ndev_change_fl\n---truncated---", "A flaw was found in the Linux kernel's Media Access Controller (MACB) Ethernet driver and Precision Time Protocol (PTP) clock subsystem. A local attacker could exploit a use-after-free vulnerability by accessing the PTP clock via the `get_ts_info` ethtool call after the PTP clock has been deallocated. This could lead to a system crash, resulting in a denial of service." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31396\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31396\nhttps://lore.kernel.org/linux-cve-announce/2026040326-CVE-2026-31396-0dad@gregkh/T" ], "name" : "CVE-2026-31396", "csaw" : false }