PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46110 Linux CVE debrief

A NULL pointer dereference vulnerability exists in the Linux kernel's stmmac network driver when receive buffer memory is exhausted. The driver's receive loop can confuse 'dirty' descriptors (buffer NULL, OWN=0) with 'full' descriptors (buffer valid, OWN=0), leading to a NULL dereference when processing a descriptor whose buffer was already consumed. This occurs when stmmac_rx_refill() fails to allocate new buffers due to memory pressure, leaving descriptors in the 'dirty' state that the receive loop later encounters. The vulnerability affects both stmmac_rx() and stmmac_rx_zc() code paths due to their shared structure. A previous partial fix limited loop iterations but did not address the case where cur_rx catches up to dirty_rx without cycling the full ring. The complete fix adds explicit dirty descriptor checks before advancing cur_rx and removes the iteration clamp.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-30
Advisory published
2026-05-28
Advisory updated
2026-05-30

Who should care

Organizations running Linux systems with stmmac-based Ethernet controllers, particularly embedded or resource-constrained deployments where memory pressure and RX buffer exhaustion are more likely. Cloud providers and data center operators using affected hardware should prioritize kernel updates to prevent network stack crashes under load.

Technical summary

The stmmac Ethernet driver uses a ring of DMA descriptors for RX buffer management, with CPU and MAC coordinating through an OWN bit. The receive loop (stmmac_rx()) and its zero-copy variant (stmmac_rx_zc()) track positions via cur_rx (consumption) and dirty_rx (refill). When memory exhaustion prevents stmmac_rx_refill() from allocating new buffers, descriptors remain in a 'dirty' state (OWN=0, buffer NULL). The receive loop only checks OWN=0 to identify ready buffers, conflating 'full' descriptors (valid buffer) with 'dirty' descriptors (NULL buffer). When cur_rx catches up to dirty_rx, the loop dereferences a NULL buffer pointer, causing a kernel panic. The fix adds explicit dirty descriptor detection before cur_rx advancement and removes the previous iteration limit workaround.

Defensive priority

high

Recommended defensive actions

  • Apply kernel updates containing the stmmac driver fix for CVE-2026-46110
  • Monitor systems using stmmac-based Ethernet controllers for kernel NULL pointer dereference panics
  • Review kernel logs for memory exhaustion conditions preceding network driver failures
  • Prioritize patching on systems with constrained memory or high network load where RX buffer exhaustion is more likely
  • Consider enabling kernel crash dumps to capture diagnostic information if NULL dereference occurs before patching

Evidence notes

Vulnerability description sourced from official CVE record and NVD entry. Kernel commit references confirm the fix implementation across stable branches. The description details the three-stage descriptor lifecycle (empty/full/dirty) and the specific failure mode when stmmac_rx_refill() fails under memory pressure.

Official resources

2026-05-28