CVE-2026-31396 Overview
A use-after-free vulnerability has been discovered in the Linux kernel's macb network driver, specifically affecting the Precision Time Protocol (PTP) clock functionality. The vulnerability exists because the PTP clock is registered on every opening of the network interface and destroyed on every closing, but it can still be accessed via the get_ts_info ethtool call while the interface is present in the kernel. This creates a dangerous race condition where freed memory can be accessed, potentially leading to system instability or exploitation.
Critical Impact
This use-after-free vulnerability in the Linux kernel's macb driver allows access to freed PTP clock memory through ethtool calls, potentially enabling local privilege escalation or denial of service on systems using Cadence/Macb Ethernet controllers.
Affected Products
- Linux kernel with Cadence macb Ethernet driver enabled
- Systems utilizing Cadence GEM (Gigabit Ethernet MAC) controllers
- Embedded systems with PTP clock support on macb network interfaces
Discovery Timeline
- 2026-04-03 - CVE-2026-31396 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-31396
Vulnerability Analysis
The vulnerability resides in the macb_main.c driver within the Linux kernel's networking subsystem. When a network interface using the macb driver is opened, the macb_open() function calls gem_ptp_init() which registers a PTP clock through ptp_clock_register(). Conversely, when the interface is closed via macb_close(), the gem_ptp_remove() function unregisters and frees the PTP clock structure.
The critical issue arises because the ethtool interface allows querying timestamp information via ETHTOOL_GET_TS_INFO even when the network interface is down. The gem_get_ts_info() and macb_get_ts_info() functions attempt to access the PTP clock structure to retrieve its index via ptp_clock_index(), but if the interface has been closed, this structure has already been freed, resulting in a use-after-free condition.
KASAN (Kernel Address Sanitizer) detected this vulnerability when a read of 4 bytes occurred at an already-freed memory address during the ptp_clock_index() call. The KASAN report shows the memory was allocated during macb_open() via gem_ptp_init() -> ptp_clock_register() -> kzalloc() and subsequently freed during macb_close() via gem_ptp_remove() -> ptp_clock_unregister().
Root Cause
The root cause is improper lifecycle management of the PTP clock resource in relation to the interface state. The driver fails to properly synchronize access to the PTP clock structure between the interface open/close operations and the ethtool query path. There is no mechanism to prevent ethtool from accessing the PTP clock after it has been destroyed, nor is there a reference counting scheme to keep the clock alive while queries are pending.
The problematic code path involves:
- __ethtool_get_ts_info() calling macb_get_ts_info()
- macb_get_ts_info() calling gem_get_ts_info()
- gem_get_ts_info() accessing the PTP clock pointer without validation
- ptp_clock_index() dereferencing the freed structure
Attack Vector
Exploitation requires local access to the system with sufficient privileges to execute ethtool commands or make ioctl() calls on network sockets. An attacker could exploit this vulnerability through the following sequence:
- Ensure a macb network interface with PTP support is present
- Open the interface to trigger PTP clock registration
- Close the interface to trigger PTP clock destruction
- Immediately query timestamp information via ethtool while the freed memory is still accessible
- The use-after-free access could potentially be leveraged to leak kernel memory contents or achieve code execution if the freed memory region is reclaimed with attacker-controlled data
The attack can be triggered via the dev_ioctl() -> sock_ioctl() -> dev_ethtool() syscall path, making it accessible from unprivileged user processes with appropriate network interface permissions.
Detection Methods for CVE-2026-31396
Indicators of Compromise
- KASAN reports showing "use-after-free" in ptp_clock_index() function
- Kernel oops or panic messages originating from drivers/ptp/ptp_clock.c:426 or drivers/net/ethernet/cadence/macb_main.c
- Unexpected system crashes during network interface operations
- Suspicious ethtool timestamp queries on closed network interfaces
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in kernel builds to detect memory corruption issues at runtime
- Monitor kernel logs (dmesg) for "use-after-free" errors related to PTP or macb driver components
- Implement audit rules to log ethtool operations on systems with Cadence Ethernet controllers
- Deploy runtime kernel integrity monitoring solutions capable of detecting memory corruption
Monitoring Recommendations
- Configure centralized logging for kernel messages from systems running affected kernel versions
- Monitor for patterns of rapid interface up/down cycles followed by ethtool queries
- Implement alerting on kernel crashes or KASAN warnings on systems with macb driver loaded
- Audit systems for the presence of CONFIG_MACB and CONFIG_PTP_1588_CLOCK kernel options
How to Mitigate CVE-2026-31396
Immediate Actions Required
- Update the Linux kernel to a patched version containing the use-after-free fix
- If immediate patching is not possible, consider disabling PTP support for macb interfaces
- Restrict unprivileged user access to ethtool commands and network interface management
- Monitor affected systems for signs of exploitation attempts
Patch Information
The vulnerability has been addressed through commits to the stable Linux kernel branches. The fix ensures proper synchronization between interface state management and ethtool queries, preventing access to the PTP clock structure after it has been freed.
Patches are available from the following kernel git commits:
- Kernel Git Commit 0bb848d8
- Kernel Git Commit 1f471406
- Kernel Git Commit 341d0108
- Kernel Git Commit 5653af41
- Kernel Git Commit 8da13e6d
- Kernel Git Commit eb652535
Workarounds
- Disable the macb PTP functionality by recompiling the kernel without CONFIG_PTP_1588_CLOCK_MACB if PTP is not required
- Use kernel module parameters or udev rules to prevent loading the macb driver on systems where it is not needed
- Implement network namespace isolation to limit access to vulnerable interfaces
- Apply access control policies to restrict which users can execute ethtool commands
# Check if macb driver is loaded
lsmod | grep macb
# Check kernel configuration for PTP support
zcat /proc/config.gz | grep -E "CONFIG_MACB|CONFIG_PTP"
# Restrict ethtool access (example using capabilities)
setcap -r /usr/sbin/ethtool
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
