HOMEVULNERABILITIESCVE-2026-46110
HIGH

CVE-2026-46110

Published: May 28, 2026· Updated: May 30, 2026

7.5
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.2th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: Prevent NULL deref when RX memory exhausted

The CPU receives frames from the MAC through conventional DMA: the CPU

allocates buffers for the MAC, then the MAC fills them and returns

ownership to the CPU. For each hardware RX queue, the CPU and MAC

coordinate through a shared ring array of DMA descriptors: one

descriptor per DMA buffer. Each descriptor includes the buffer's

physical address and a status flag ("OWN") indicating which side owns

the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set

the flag and the MAC is only allowed to clear it, and both must move

through the ring in sequence: thus the ring is used for both

"submissions" and "completions."

In the stmmac driver, stmmac_rx() bookmarks its position in the ring

with the `cur_rx` index. The main receive loop in that function checks

for rx_descs[cur_rx].own=0, gives the corresponding buffer to the

network stack (NULLing the pointer), and increments `cur_rx` modulo the

ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its

position with `dirty_rx`, allocates fresh buffers and rearms the

descriptors (setting OWN=1). If it fails any allocation, it simply stops

early (leaving OWN=0) and will retry where it left off when next called.

This means descriptors have a three-stage lifecycle (terms my own):

- `empty` (OWN=1, buffer valid)

- `full` (OWN=0, buffer valid and populated)

- `dirty` (OWN=0, buffer NULL)

But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In

the past (see 'Fixes:'), there was a bug where the loop could cycle

`cur_rx` all the way back to the first descriptor it dirtied, resulting

in a NULL dereference when mistaken for `full`. The aforementioned

commit resolved that *specific* failure by capping the loop's iteration

limit at `dma_rx_size - 1`, but this is only a partial fix: if the

previous stmmac_rx_refill() didn't complete, then there are leftover

`dirty` descriptors that the loop might encounter without needing to

cycle fully around. The current code therefore panics (see 'Closes:')

when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to

catch up to `dirty_rx`.

Fix this by explicitly checking, before advancing `cur_rx`, if the next

entry is dirty; exit the loop if so. This prevents processing of the

final, used descriptor until stmmac_rx_refill() succeeds, but

fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix

intended: so remove the clamp as well. Since stmmac_rx_zc() is a

copy-paste-and-tweak of stmmac_rx() and the code structure is identical,

any fix to stmmac_rx() will also need a corresponding fix for

stmmac_rx_zc(). Therefore, apply the same check there.

In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the

MAC sets OWN=0 on the final descriptor, it will be unable to send any

further DMA-complete IRQs until it's given more `empty` descriptors.

Currently, the driver simply *hopes* that the next stmmac_rx_refill()

succeeds, risking an indefinite stall of the receive process if not. But

this is not a regression, so it can be addressed in a future change.

NVD Source

Technical Analysis

CVE-2026-46110 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.5.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-46110
CVSS Score7.5 / 10
SeverityHIGH
CISA KEVNo
EPSS (30d)0.02%
PublishedMay 28, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-46110 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.