PatchSiren cyber security CVE debrief
CVE-2026-31395 Linux CVE debrief
CVE-2026-31395 is a Linux kernel vulnerability in the bnxt_en driver’s async event handling path. A firmware-supplied trace type is used as an array index without bounds checking, which can lead to out-of-bounds kernel memory access, corruption, or a crash. NVD rates the issue HIGH (7.1) and lists affected Linux kernel ranges including 6.13 through 6.18.20, 6.19 through 6.19.10, and early 7.0 release candidates.
- Vendor
- Linux
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-03
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-04-03
- Advisory updated
- 2026-05-20
Who should care
Linux kernel maintainers, distro/kernel package teams, and operators running systems that use the bnxt_en network driver should treat this as a patch-now issue.
Technical summary
The problem is in bnxt_async_event_process() while handling ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER. The handler uses a firmware-provided 16-bit 'type' field directly as an index into bp->bs_trace[] without validating that the value is in range. Because the field comes from DMA-mapped completion ring memory written by NIC firmware into host RAM, a malicious or compromised NIC can supply an out-of-range value and trigger an out-of-bounds access. The follow-on bnxt_bs_trace_check_wrap() path dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, which can produce kernel memory corruption or a crash. The fix adds a bounds check and defines BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 so the driver only accepts currently defined trace types (0x0 through 0xc).
Defensive priority
High. Systems using bnxt_en should install the fixed kernel update promptly because the bug can lead to kernel memory corruption or denial of service.
Recommended defensive actions
- Apply the Linux kernel patches referenced by NVD and vendor/stable links.
- Upgrade to a kernel release newer than the vulnerable ranges listed by NVD (through 6.18.20, through 6.19.10, and early 7.0 release candidates).
- Confirm whether bnxt_en is in use on affected hosts and prioritize those systems first.
- If the driver is not required on a system, reduce exposure by not loading it.
- Monitor for kernel crashes or instability on hosts with affected NIC firmware and validate patched builds after deployment.
Evidence notes
This debrief is based on the CVE record and the NVD entry published 2026-04-03 and last modified 2026-05-20. NVD lists CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H, CWE-125, and affected Linux kernel CPE ranges. The NVD record also includes three kernel.org patch references for the fix.
Official resources
-
CVE-2026-31395 CVE record
CVE.org
-
CVE-2026-31395 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
Publicly disclosed in the CVE record on 2026-04-03; NVD last modified the entry on 2026-05-20 after adding patch references.