{ "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: net: macb: use the current queue number for stats", "id" : "2460665", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460665" }, "cwe" : "CWE-787", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nnet: macb: use the current queue number for stats\nThere's a potential mismatch between the memory reserved for statistics\nand the amount of memory written.\ngem_get_sset_count() correctly computes the number of stats based on the\nactive queues, whereas gem_get_ethtool_stats() indiscriminately copies\ndata using the maximum number of queues, and in the case the number of\nactive queues is less than MACB_MAX_QUEUES, this results in a OOB write\nas observed in the KASAN splat.\n==================================================================\nBUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78\n[macb]\nWrite of size 760 at addr ffff80008080b000 by task ethtool/1027\nCPU: [...]\nTainted: [E]=UNSIGNED_MODULE\nHardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025\nCall trace:\nshow_stack+0x20/0x38 (C)\ndump_stack_lvl+0x80/0xf8\nprint_report+0x384/0x5e0\nkasan_report+0xa0/0xf0\nkasan_check_range+0xe8/0x190\n__asan_memcpy+0x54/0x98\ngem_get_ethtool_stats+0x54/0x78 [macb\n926c13f3af83b0c6fe64badb21ec87d5e93fcf65]\ndev_ethtool+0x1220/0x38c0\ndev_ioctl+0x4ac/0xca8\nsock_do_ioctl+0x170/0x1d8\nsock_ioctl+0x484/0x5d8\n__arm64_sys_ioctl+0x12c/0x1b8\ninvoke_syscall+0xd4/0x258\nel0_svc_common.constprop.0+0xb4/0x240\ndo_el0_svc+0x48/0x68\nel0_svc+0x40/0xf8\nel0t_64_sync_handler+0xa0/0xe8\nel0t_64_sync+0x1b0/0x1b8\nThe buggy address belongs to a 1-page vmalloc region starting at\n0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0\nThe buggy address belongs to the physical page:\npage: refcount:1 mapcount:0 mapping:0000000000000000\nindex:0xffff00000a333000 pfn:0xa333\nflags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)\nraw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n^\nffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\nffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n==================================================================\nFix it by making sure the copied size only considers the active number of\nqueues.", "A flaw was found in the Linux kernel's macb network driver. A local user can exploit this vulnerability due to an out-of-bounds write in the gem_get_ethtool_stats function. This occurs when the driver incorrectly copies data using the maximum number of queues instead of the active number, leading to memory corruption. This can result in a kernel crash, causing a Denial of Service (DoS) for the system." ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31494\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31494\nhttps://lore.kernel.org/linux-cve-announce/2026042202-CVE-2026-31494-647e@gregkh/T" ], "name" : "CVE-2026-31494", "csaw" : false }