CVE-2026-31501CRITICAL 9.8EPSS p29.6%

CVE-2026-31501CVE-2026-31501

Description

In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.38% probability of exploitation · percentile 29.6% · 2026-06-18T12:00:27Z
Published2026-04-22
Last modified2026-04-28

Underlying weaknesses· 1

CWE-416

References

  1. https://git.kernel.org/stable/c/d5827316debcb677679bb014885d7be92c410e11
  2. https://git.kernel.org/stable/c/eb8c426c9803beb171f89d15fea17505eb517714

1

TypeTargetConfidenceTier
WeaknessUse After Freecwe-4160%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43039
CVE
CVE-2026-46301
CVE
CVE-2026-43074
CVE
CVE-2026-46326
CVE
CVE-2026-31631
CVE
CVE-2026-46009
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.