HOMEVULNERABILITIESCVE-2026-31494
HIGH

CVE-2026-31494

Published: April 22, 2026· Updated: Apr 28, 2026

7.8
CVSS v3.1
EPSS:0.03%probability of exploitation in 30 daysPercentile:9.5th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: macb: use the current queue number for stats

There's a potential mismatch between the memory reserved for statistics

and the amount of memory written.

gem_get_sset_count() correctly computes the number of stats based on the

active queues, whereas gem_get_ethtool_stats() indiscriminately copies

data using the maximum number of queues, and in the case the number of

active queues is less than MACB_MAX_QUEUES, this results in a OOB write

as observed in the KASAN splat.

==================================================================

BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78

[macb]

Write of size 760 at addr ffff80008080b000 by task ethtool/1027

CPU: [...]

Tainted: [E]=UNSIGNED_MODULE

Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025

Call trace:

show_stack+0x20/0x38 (C)

dump_stack_lvl+0x80/0xf8

print_report+0x384/0x5e0

kasan_report+0xa0/0xf0

kasan_check_range+0xe8/0x190

__asan_memcpy+0x54/0x98

gem_get_ethtool_stats+0x54/0x78 [macb

926c13f3af83b0c6fe64badb21ec87d5e93fcf65]

dev_ethtool+0x1220/0x38c0

dev_ioctl+0x4ac/0xca8

sock_do_ioctl+0x170/0x1d8

sock_ioctl+0x484/0x5d8

__arm64_sys_ioctl+0x12c/0x1b8

invoke_syscall+0xd4/0x258

el0_svc_common.constprop.0+0xb4/0x240

do_el0_svc+0x48/0x68

el0_svc+0x40/0xf8

el0t_64_sync_handler+0xa0/0xe8

el0t_64_sync+0x1b0/0x1b8

The buggy address belongs to a 1-page vmalloc region starting at

0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000

index:0xffff00000a333000 pfn:0xa333

flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)

raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000

raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000

page dumped because: kasan: bad access detected

Memory state around the buggy address:

ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

>ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

^

ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8

==================================================================

Fix it by making sure the copied size only considers the active number of

queues.

NVD Source

Technical Analysis

CVE-2026-31494 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 7.8.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Vendors & Products

Linux1 product
linux kernel
Source: NVD CPE · 3 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2026-31494
CVSS Score7.8 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.03%
Affected1 vendor
PublishedApr 22, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-31494 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.