CVE-2026-43371

/* * Conceptual PoC for CVE-2026-43371 * Simulates the logic error where tx_head and tx_tail are reset * without shuffling the ring, leading to a stuck queue. */ #include <stdio.h> #define TX_RING_SIZE 16 struct macb_queue { int tx_head; int tx_tail; int tx_buffer[TX_RING_SIZE]; // Simulating buffer descriptors }; void simulate_vulnerability(struct macb_queue *queue) { // Simulate state before suspend: head=10, tail=5 queue->tx_head = 10; queue->tx_tail = 5; printf("Before suspend: tx_head=%d, tx_tail=%d\n", queue->tx_head, queue->tx_tail); // System suspends... (Hardware resets pointer to base) // Resume: Vulnerable driver logic simply resets head/tail to 0 // without moving the pending packets to the front of the ring. queue->tx_head = 0; queue->tx_tail = 0; printf("After vulnerable resume: tx_head=%d, tx_tail=%d\n", queue->tx_head, queue->tx_tail); // The driver thinks the queue is empty (head == tail), // but the hardware might be stuck waiting for the descriptor at index 5. printf("Result: Driver assumes queue is empty, transmission stuck.\n"); } int main() { struct macb_queue q; simulate_vulnerability(&q); return 0; }

{"cve": {"id": "CVE-2026-43371", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:48.187", "lastModified": "2026-05-15T15:17:45.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue->tx_head`\nand `queue->tx_tail` to '0'. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may\n occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n are reset to '0'.\n\n- The transmission may become stuck on a packet that has already been sent\n out, with its 'TX_USED' bit set, but has not yet been processed. However,\n due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',\n `macb_tx_poll()` incorrectly assumes there are no packets to handle\n because `queue->tx_head == queue->tx_tail`. This issue is only resolved\n when a new packet is placed at this position. This is the root cause of\n the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue->tx_head` and\n`queue->tx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.165", "versionEndExcluding": "6.1.167", "matchCriteriaId": "D54E2FD5-7EF9-426A-9AE1-8E8DA970BCC8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.128", "versionEndExcluding": "6.6.130", "matchCriteriaId": "2099D3D0-97C6-44C5-913D-E616B07A9237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.78", "matchCriteriaId": "DAB9F88E-FB55-4FDB-966E-E7FC262B2038"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.16", "versionEndExcluding": "6.18.20", "matchCriteriaId": "234D2F07-A17A-49BE-8B89-9C6756315A38"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.6", "versionEndExcluding": "6.19.9", "matchCriteriaId": "2CFC1CE8-19E1-4AFC-BF52-43BDD2561EE6"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}