CVE-2026-45940 Linux CVE debrief

Who should care

Linux system administrators running kernels with stmmac driver on GMAC4 hardware; embedded systems developers using Synopsys DesignWare Ethernet MAC; security teams monitoring for kernel stability issues in network stack

Technical summary

The stmmac (Synopsys DesignWare Ethernet MAC) driver in the Linux kernel contains a vulnerability when operating with split header enabled on GMAC4 hardware. The driver incorrectly calculates buffer lengths by assuming buf2 of non-last descriptors is always fully populated with payload data. In rare hardware conditions, this assumption fails, causing an incorrect length calculation for subsequent descriptors. This leads to an out-of-bounds memory access during the dma_direct_sync_single_for_cpu operation, manifesting as a kernel paging request fault. The vulnerability is addressed by consistently using the PL (Payload Length) field from the RDES3 register across all descriptors to obtain accurate buffer lengths.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available for your distribution
• Monitor vendor security advisories for stmmac driver updates
• Consider disabling split header feature on GMAC4 hardware if patches cannot be immediately applied
• Review system logs for stmmac-related oops messages indicating potential exploitation attempts

Evidence notes

The vulnerability description and fix details are sourced from the official CVE record published 2026-05-27. The kernel commit references confirm the fix was applied to stable kernel branches. The call trace showing dcache_inval_poc and dma_direct_sync_single_for_cpu indicates the crash occurs during receive path DMA operations.

Official resources