HOMEVULNERABILITIESCVE-2026-46031
HIGH

CVE-2026-46031

Published: May 27, 2026· Updated: Jun 1, 2026

7.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: ks8851: Reinstate disabling of BHs around IRQ handler

If the driver executes ks8851_irq() AND a TX packet has been sent, then

the driver enables TX queue via netif_wake_queue() which schedules TX

softirq to queue packets for this device.

If CONFIG_PREEMPT_RT=y is set AND a packet has also been received by

the MAC, then ks8851_rx_pkts() calls netdev_alloc_skb_ip_align() to

allocate SKBs for the received packets. If netdev_alloc_skb_ip_align()

is called with BH enabled, then local_bh_enable() at the end of

netdev_alloc_skb_ip_align() will trigger the pending softirq processing,

which may ultimately call the .xmit callback ks8851_start_xmit_par().

The ks8851_start_xmit_par() will try to lock struct ks8851_net_par

.lock spinlock, which is already locked by ks8851_irq() from which

ks8851_start_xmit_par() was called. This leads to a deadlock, which

is reported by the kernel, including a trace listed below.

If CONFIG_PREEMPT_RT is not set, then since commit 0913ec336a6c0

("net: ks8851: Fix deadlock with the SPI chip variant") the deadlock

can also be triggered without received packet in the RX FIFO. The

pending softirqs will be processed on return from

spin_unlock_bh(&ks->statelock) in ks8851_irq(), which triggers the

deadlock as well.

Fix the problem by disabling BH around critical sections, including the

IRQ handler, thus preventing the net_tx_action() softirq from triggering

during these critical sections. The net_tx_action() softirq is triggered

once BH are re-enabled and at the end of the IRQ handler, once all the

other IRQ handler actions have been completed.

__schedule from schedule_rtlock+0x1c/0x34

schedule_rtlock from rtlock_slowlock_locked+0x548/0x904

rtlock_slowlock_locked from rt_spin_lock+0x60/0x9c

rt_spin_lock from ks8851_start_xmit_par+0x74/0x1a8

ks8851_start_xmit_par from netdev_start_xmit+0x20/0x44

netdev_start_xmit from dev_hard_start_xmit+0xd0/0x188

dev_hard_start_xmit from sch_direct_xmit+0xb8/0x25c

sch_direct_xmit from __qdisc_run+0x1f8/0x4ec

__qdisc_run from qdisc_run+0x1c/0x28

qdisc_run from net_tx_action+0x1f0/0x268

net_tx_action from handle_softirqs+0x1a4/0x270

handle_softirqs from __local_bh_enable_ip+0xcc/0xe0

__local_bh_enable_ip from __alloc_skb+0xd8/0x128

__alloc_skb from __netdev_alloc_skb+0x3c/0x19c

__netdev_alloc_skb from ks8851_irq+0x388/0x4d4

ks8851_irq from irq_thread_fn+0x24/0x64

irq_thread_fn from irq_thread+0x178/0x28c

irq_thread from kthread+0x12c/0x138

kthread from ret_from_fork+0x14/0x28

NVD Source

Technical Analysis

CVE-2026-46031 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (6)

Quick Facts

CVE IDCVE-2026-46031
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 27, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46031 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.