CVE-2026-31501

/* * PoC Concept for CVE-2026-31501 * This demonstrates the vulnerable logic flow in the driver. */ #include <stdio.h> #include <stdlib.h> #include <string.h> // Mock structures for demonstration struct cppi_desc { int data[2]; }; struct cppi_desc* global_desc; void k3_cppi_desc_pool_free(struct cppi_desc *desc) { printf("[+] Descriptor freed. Memory returned to pool.\n"); free(desc); global_desc = NULL; } void* cppi5_hdesc_get_psdata(struct cppi_desc *desc) { return desc->data; } void emac_rx_timestamp(void *psdata) { // Vulnerability: Accessing freed memory int *data = (int *)psdata; printf("[!] Attempting to access timestamp data: %d, %d\n", data[0], data[1]); // In a real exploit, this could crash the kernel or leak data } void vulnerable_emac_rx_packet() { // 1. Allocate descriptor global_desc = (struct cppi_desc*)malloc(sizeof(struct cppi_desc)); global_desc->data[0] = 0xAAAA; global_desc->data[1] = 0xBBBB; // 2. Get pointer to data void *psdata = cppi5_hdesc_get_psdata(global_desc); // 3. FREE the descriptor (Vulnerable step) k3_cppi_desc_pool_free(global_desc); // 4. Use the pointer after free emac_rx_timestamp(psdata); } int main() { printf("Simulating CVE-2026-31501 Use-After-Free...\n"); vulnerable_emac_rx_packet(); return 0; }

{"cve": {"id": "CVE-2026-31501", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-22T14:16:48.597", "lastModified": "2026-04-28T13:50:58.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path\n\ncppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.\nIn both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is\nfreed via k3_cppi_desc_pool_free() before the psdata pointer is used\nby emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].\nThis constitutes a use-after-free on every received packet that goes\nthrough the timestamp path.\n\nDefer the descriptor free until after all accesses through the psdata\npointer are complete. For emac_rx_packet(), move the free into the\nrequeue label so both early-exit and success paths free the descriptor\nafter all accesses are done. For emac_rx_packet_zc(), move the free to\nthe end of the loop body after emac_dispatch_skb_zc() (which calls\nemac_rx_timestamp()) has returned."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15.1", "versionEndExcluding": "6.19.11", "matchCriteriaId": "042B87CE-9A59-4732-B045-5A732EC6BE59"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.15:-:*:*:*:*:*:*", "matchCriteriaId": "A1ECC65A-EE37-4479-8E99-4BB68A22A31F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}