PatchSiren cyber security CVE debrief
CVE-2026-31649 Linux CVE debrief
The Linux kernel was vulnerable to an integer underflow issue in the stmmac network driver. The vulnerability occurred in the jumbo_frm() implementation, which unconditionally computed a length value that could wrap around as an unsigned integer when a packet had a small linear portion but a large total length due to page fragments. This led to a potential kernel memory disclosure and memory corruption from hardware on IOMMU-less SoCs. The issue has been resolved by introducing a buf_len local variable clamped to min(nopaged_len, bmax).
- Vendor
- Linux
- Product
- Unknown
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-24
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-24
- Advisory updated
- 2026-07-14
Who should care
Users of Linux kernel versions from 3.2.1 to 5.10.253, 5.11 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 should apply patches or mitigations.
Technical summary
The jumbo_frm() chain-mode implementation in the stmmac network driver unconditionally computed len = nopaged_len - bmax, where nopaged_len = skb_headlen(skb) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len. When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value. This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs, this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.
Defensive priority
High
Recommended defensive actions
- Apply patches from Linux kernel stable branches
- Inventory and update affected Linux kernel versions
- Monitor for unusual DMA activity
- Implement compensating controls for IOMMU-less SoCs
- Exception tracking for potential memory corruption
Evidence notes
The CVE record was published on 2026-04-24T15:16:44.330Z and last modified on 2026-07-14T13:18:46.557Z. Multiple patches are available from the Linux kernel stable branches. Linux kernel versions from 3.2.1 to 5.10.253, 5.11 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 are potentially affected. Users should verify specific version exposure and apply patches or mitigations accordingly. Evidence is limited to public CVE and NVD details.
Official resources
-
CVE-2026-31649 CVE record
CVE.org
-
CVE-2026-31649 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
-
Mitigation or vendor reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67 - Patch
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-24T15:16:44.330Z and has not been modified since then.