HOMEVULNERABILITIESCVE-2026-31396
NONE

CVE-2026-31396

Published: April 3, 2026· Updated: Apr 7, 2026

EPSS:0.02%probability of exploitation in 30 daysPercentile:6.6th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: macb: fix use-after-free access to PTP clock

PTP clock is registered on every opening of the interface and destroyed on

every closing. However it may be accessed via get_ts_info ethtool call

which is possible while the interface is just present in the kernel.

BUG: KASAN: use-after-free in ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426

Read of size 4 at addr ffff8880194345cc by task syz.0.6/948

CPU: 1 PID: 948 Comm: syz.0.6 Not tainted 6.1.164+ #109

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.1-0-g3208b098f51a-prebuilt.qemu.org 04/01/2014

Call Trace:

<TASK>

__dump_stack lib/dump_stack.c:88 [inline]

dump_stack_lvl+0x8d/0xba lib/dump_stack.c:106

print_address_description mm/kasan/report.c:316 [inline]

print_report+0x17f/0x496 mm/kasan/report.c:420

kasan_report+0xd9/0x180 mm/kasan/report.c:524

ptp_clock_index+0x47/0x50 drivers/ptp/ptp_clock.c:426

gem_get_ts_info+0x138/0x1e0 drivers/net/ethernet/cadence/macb_main.c:3349

macb_get_ts_info+0x68/0xb0 drivers/net/ethernet/cadence/macb_main.c:3371

__ethtool_get_ts_info+0x17c/0x260 net/ethtool/common.c:558

ethtool_get_ts_info net/ethtool/ioctl.c:2367 [inline]

__dev_ethtool net/ethtool/ioctl.c:3017 [inline]

dev_ethtool+0x2b05/0x6290 net/ethtool/ioctl.c:3095

dev_ioctl+0x637/0x1070 net/core/dev_ioctl.c:510

sock_do_ioctl+0x20d/0x2c0 net/socket.c:1215

sock_ioctl+0x577/0x6d0 net/socket.c:1320

vfs_ioctl fs/ioctl.c:51 [inline]

__do_sys_ioctl fs/ioctl.c:870 [inline]

__se_sys_ioctl fs/ioctl.c:856 [inline]

__x64_sys_ioctl+0x18c/0x210 fs/ioctl.c:856

do_syscall_x64 arch/x86/entry/common.c:46 [inline]

do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76

entry_SYSCALL_64_after_hwframe+0x6e/0xd8

</TASK>

Allocated by task 457:

kmalloc include/linux/slab.h:563 [inline]

kzalloc include/linux/slab.h:699 [inline]

ptp_clock_register+0x144/0x10e0 drivers/ptp/ptp_clock.c:235

gem_ptp_init+0x46f/0x930 drivers/net/ethernet/cadence/macb_ptp.c:375

macb_open+0x901/0xd10 drivers/net/ethernet/cadence/macb_main.c:2920

__dev_open+0x2ce/0x500 net/core/dev.c:1501

__dev_change_flags+0x56a/0x740 net/core/dev.c:8651

dev_change_flags+0x92/0x170 net/core/dev.c:8722

do_setlink+0xaf8/0x3a80 net/core/rtnetlink.c:2833

__rtnl_newlink+0xbf4/0x1940 net/core/rtnetlink.c:3608

rtnl_newlink+0x63/0xa0 net/core/rtnetlink.c:3655

rtnetlink_rcv_msg+0x3c6/0xed0 net/core/rtnetlink.c:6150

netlink_rcv_skb+0x15d/0x430 net/netlink/af_netlink.c:2511

netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]

netlink_unicast+0x6d7/0xa30 net/netlink/af_netlink.c:1344

netlink_sendmsg+0x97e/0xeb0 net/netlink/af_netlink.c:1872

sock_sendmsg_nosec net/socket.c:718 [inline]

__sock_sendmsg+0x14b/0x180 net/socket.c:730

__sys_sendto+0x320/0x3b0 net/socket.c:2152

__do_sys_sendto net/socket.c:2164 [inline]

__se_sys_sendto net/socket.c:2160 [inline]

__x64_sys_sendto+0xdc/0x1b0 net/socket.c:2160

do_syscall_x64 arch/x86/entry/common.c:46 [inline]

do_syscall_64+0x35/0x80 arch/x86/entry/common.c:76

entry_SYSCALL_64_after_hwframe+0x6e/0xd8

Freed by task 938:

kasan_slab_free include/linux/kasan.h:177 [inline]

slab_free_hook mm/slub.c:1729 [inline]

slab_free_freelist_hook mm/slub.c:1755 [inline]

slab_free mm/slub.c:3687 [inline]

__kmem_cache_free+0xbc/0x320 mm/slub.c:3700

device_release+0xa0/0x240 drivers/base/core.c:2507

kobject_cleanup lib/kobject.c:681 [inline]

kobject_release lib/kobject.c:712 [inline]

kref_put include/linux/kref.h:65 [inline]

kobject_put+0x1cd/0x350 lib/kobject.c:729

put_device+0x1b/0x30 drivers/base/core.c:3805

ptp_clock_unregister+0x171/0x270 drivers/ptp/ptp_clock.c:391

gem_ptp_remove+0x4e/0x1f0 drivers/net/ethernet/cadence/macb_ptp.c:404

macb_close+0x1c8/0x270 drivers/net/ethernet/cadence/macb_main.c:2966

__dev_close_many+0x1b9/0x310 net/core/dev.c:1585

__dev_close net/core/dev.c:1597 [inline]

__dev_change_flags+0x2bb/0x740 net/core/dev.c:8649

dev_change_fl

---truncated---

NVD Source

Technical Analysis

CVE-2026-31396 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-31396
SeverityNONE
CISA KEVNo
EPSS (30d)0.02%
PublishedApr 3, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31396 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.