{ "threat_severity" : "Moderate", "public_date" : "2026-04-22T00:00:00Z", "bugzilla" : { "description" : "kernel: iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()", "id" : "2460688", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2460688" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-805", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\niavf: fix out-of-bounds writes in iavf_get_ethtool_stats()\niavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\nThread 1 (ethtool -L) Thread 2 (work) Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-> num_active_queues = 8\niavf_schedule_finish_config()\niavf_get_sset_count()\nreal_num_tx_queues: 1\n-> buffer for 1 queue\niavf_get_ethtool_stats()\nnum_active_queues: 8\n-> out-of-bounds!\niavf_finish_config()\n-> real_num_tx_queues = 8\nUse immutable num_tx_queues in all related functions to avoid the issue.\n[1]\nBUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\nWrite of size 8 at addr ffffc900031c9080 by task ethtool/5800\nCPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\nCall Trace:\n\ndump_stack_lvl+0x6f/0xb0\nprint_report+0x170/0x4f3\nkasan_report+0xe1/0x180\niavf_add_one_ethtool_stat+0x200/0x270\niavf_get_ethtool_stats+0x14c/0x2e0\n__dev_ethtool+0x3d0c/0x5830\ndev_ethtool+0x12d/0x270\ndev_ioctl+0x53c/0xe30\nsock_do_ioctl+0x1a9/0x270\nsock_ioctl+0x3d4/0x5e0\n__x64_sys_ioctl+0x137/0x1c0\ndo_syscall_64+0xf3/0x690\nentry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f7da0e6e36d\n...\n\nThe buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\nThe buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\nindex:0xffff88813a013de0 pfn:0x13a013\nflags: 0x200000000000000(node=0|zone=2)\nraw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\nraw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\npage dumped because: kasan: bad access detected\nMemory state around the buggy address:\nffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\nffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n>ffffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n^\nffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\nffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8", "A flaw was found in the Linux kernel's iavf driver. This vulnerability, an out-of-bounds write, occurs when a user simultaneously executes specific ethtool commands, specifically \"ethtool -L\" and \"ethtool -S\". This can lead to memory corruption, potentially causing a system crash and resulting in a Denial of Service (DoS)." ], "statement" : "Upstream aligns `num_tx_queues` across ethtool stats paths so channel reconfiguration cannot race undersized user buffers. Red Hat treats this as a local CAP_NET_ADMIN-class issue on Intel adaptive virtual function devices. Install updated kernels; optionally unload `iavf` where virtual NICs are not required.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-31505\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-31505\nhttps://lore.kernel.org/linux-cve-announce/2026042206-CVE-2026-31505-a1db@gregkh/T" ], "name" : "CVE-2026-31505", "mitigation" : { "value" : "To mitigate this issue, prevent the iavf module from being loaded. See https://access.redhat.com/solutions/41278 for instructions.", "lang" : "en:us" }, "csaw" : false }