PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-31649 Linux CVE debrief

The Linux kernel was vulnerable to an integer underflow issue in the stmmac network driver. The vulnerability occurred in the jumbo_frm() implementation, which unconditionally computed a length value that could wrap around as an unsigned integer when a packet had a small linear portion but a large total length due to page fragments. This led to a potential kernel memory disclosure and memory corruption from hardware on IOMMU-less SoCs. The issue has been resolved by introducing a buf_len local variable clamped to min(nopaged_len, bmax).

Vendor
Linux
Product
Unknown
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-24
Original CVE updated
2026-07-14
Advisory published
2026-04-24
Advisory updated
2026-07-14

Who should care

Users of Linux kernel versions from 3.2.1 to 5.10.253, 5.11 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 should apply patches or mitigations.

Technical summary

The jumbo_frm() chain-mode implementation in the stmmac network driver unconditionally computed len = nopaged_len - bmax, where nopaged_len = skb_headlen(skb) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len. When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value. This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs, this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.

Defensive priority

High

Recommended defensive actions

  • Apply patches from Linux kernel stable branches
  • Inventory and update affected Linux kernel versions
  • Monitor for unusual DMA activity
  • Implement compensating controls for IOMMU-less SoCs
  • Exception tracking for potential memory corruption

Evidence notes

The CVE record was published on 2026-04-24T15:16:44.330Z and last modified on 2026-07-14T13:18:46.557Z. Multiple patches are available from the Linux kernel stable branches. Linux kernel versions from 3.2.1 to 5.10.253, 5.11 to 5.15.203, 5.16 to 6.1.169, 6.2 to 6.6.135, 6.7 to 6.12.82, 6.13 to 6.18.23, 6.19 to 6.19.13, and 7.0 rc1 to rc7 are potentially affected. Users should verify specific version exposure and apply patches or mitigations accordingly. Evidence is limited to public CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-24T15:16:44.330Z and has not been modified since then.