PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31396 Linux CVE debrief

CVE-2026-31396 is a Linux kernel use-after-free in the macb network driver’s PTP clock handling. The issue matters because the PTP clock is created and destroyed with interface open/close activity, but it can still be accessed from the get_ts_info ethtool path while the device remains present in the kernel. The supplied kernel report shows KASAN detecting a use-after-free in ptp_clock_index() reached through gem_get_ts_info() and macb_get_ts_info(). NVD rates the issue HIGH with CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and its affected-version metadata spans multiple Linux kernel release ranges. Kernel stable patch references are listed in the record, indicating a fix was published across supported branches.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-03
Original CVE updated
2026-05-20
Advisory published
2026-04-03
Advisory updated
2026-05-20

Who should care

Linux kernel maintainers, distribution security teams, embedded/device vendors shipping macb-capable kernels, and operators who rely on Linux systems that include the affected macb Ethernet driver. Systems where local users can invoke ethtool operations or otherwise interact with the interface-management path should prioritize review.

Technical summary

The vulnerability is a use-after-free (CWE-416) in the macb driver's PTP clock lifecycle. According to the provided report, gem_ptp_init() registers a PTP clock during interface open, and gem_ptp_remove() unregisters it on close, but get_ts_info ethtool access can still query the clock through ptp_clock_index() after the underlying object has been freed. The crash trace shows the read occurring in ptp_clock_index(), called from gem_get_ts_info() and macb_get_ts_info(). NVD lists affected Linux kernel ranges from 4.11 through versions fixed in stable releases across 5.10, 5.15, 6.1, 6.6, 6.12, 6.18, 6.19, and 7.0-rc builds.

Defensive priority

High. This is a kernel memory-safety flaw with potential confidentiality, integrity, and availability impact, but it is locally reachable and depends on the affected driver path. Patch and validate affected kernels promptly, especially on systems that expose macb hardware or kernels built with that driver enabled.

Recommended defensive actions

  • Upgrade to a Linux kernel release that includes the macb PTP clock use-after-free fix for your branch.
  • If you maintain downstream or stable kernels, confirm the corresponding patch has been backported to every supported branch you ship.
  • Inventory systems that include the macb Ethernet driver and prioritize patching those that expose ethtool access to untrusted local users.
  • Review kernel changelogs or vendor advisories for the listed stable patch references before rolling updates into production.
  • After updating, confirm the fixed kernel version is in use across all relevant hosts and containers/VM images.

Evidence notes

The CVE description explicitly reports a KASAN-detected use-after-free in ptp_clock_index() at drivers/ptp/ptp_clock.c:426, reached via gem_get_ts_info() and macb_get_ts_info(). The NVD record marks the issue analyzed, classifies it as CWE-416, rates it CVSS 7.8 HIGH, and lists affected Linux kernel version ranges plus multiple stable patch references. Timing context: the CVE was published on 2026-04-03 and last modified on 2026-05-20.

Official resources

Publicly disclosed on 2026-04-03 and updated by NVD on 2026-05-20. The record shows the issue as analyzed and links multiple kernel stable patch references for remediation across supported branches.