CVE-2026-31501 Overview
CVE-2026-31501 is a use-after-free vulnerability [CWE-416] in the Linux kernel's Texas Instruments ICSSG-PRUETH Ethernet driver. The flaw resides in the receive (RX) path of the net/ti/icssg-prueth driver, where the Communications Port Programming Interface 5 (CPPI5) descriptor is freed before the protocol-specific data (psdata) pointer derived from it is dereferenced during packet timestamping. Every received packet routed through the timestamp path triggers the unsafe access. The vulnerability affects Linux kernel version 6.15 and 7.0 release candidates rc1 through rc7.
Critical Impact
A network-adjacent attacker can trigger memory corruption on every received packet processed through the timestamp path, potentially leading to kernel memory disclosure, denial of service, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel 6.15
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Systems using the Texas Instruments icssg-prueth Ethernet driver (PRU-ICSSG)
Discovery Timeline
- 2026-04-22 - CVE-2026-31501 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31501
Vulnerability Analysis
The vulnerability exists in the ICSSG-PRUETH driver, which supports Ethernet via the Programmable Real-Time Unit and Industrial Communication Subsystem Gigabit (PRU-ICSSG) on Texas Instruments SoCs. The cppi5_hdesc_get_psdata() function returns a pointer that references memory inside a CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the driver releases that descriptor by calling k3_cppi_desc_pool_free() before the psdata pointer is consumed by emac_rx_timestamp().
The timestamp function then dereferences psdata[0] and psdata[1] against freed memory. This produces a use-after-free condition on every received packet that traverses the hardware timestamp path. Depending on allocator state and concurrent memory reuse, the read may return stale data, attacker-influenced data from a reallocated buffer, or trigger a kernel oops.
Root Cause
The root cause is incorrect object lifetime management. The driver frees the backing CPPI descriptor while a pointer derived from that descriptor remains in active use. Memory ordering between descriptor pool release and timestamp processing was not enforced, leaving a window where freed memory is dereferenced.
Attack Vector
The attack vector is network-based and triggered by inbound traffic on an affected interface. An attacker on an adjacent network segment can send crafted Ethernet frames that the driver processes through the timestamping path. Because the bug fires on each received packet routed through emac_rx_timestamp(), exploitation does not require authentication or user interaction. Successful kernel memory corruption could lead to privilege escalation or full system compromise on devices using PRU-ICSSG networking, which is common in industrial and embedded Linux deployments.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31501
Indicators of Compromise
- Kernel oops or panic messages referencing emac_rx_timestamp, emac_rx_packet, or emac_rx_packet_zc in dmesg or /var/log/kern.log
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in the icssg-prueth module
- Unexpected reboots or network interface resets on PRU-ICSSG-equipped hardware under sustained RX traffic with PTP/timestamping enabled
Detection Strategies
- Inventory running kernel versions using uname -r and identify hosts running Linux 6.15 or 7.0 release candidates
- Verify whether the icssg_prueth module is loaded via lsmod | grep icssg on Texas Instruments AM6x and similar SoCs
- Enable KASAN on test builds to catch use-after-free dereferences in the RX path during integration testing
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on driver-specific crash signatures
- Monitor interface error counters and link flaps on PRU-ICSSG ports, which may indicate triggered crashes
- Track package versions across Linux fleets to confirm patched kernels are deployed on affected hardware
How to Mitigate CVE-2026-31501
Immediate Actions Required
- Identify all systems running Linux kernel 6.15 or 7.0-rc1 through 7.0-rc7 with the icssg-prueth driver loaded
- Apply the upstream fixes from commits d5827316debc and eb8c426c9803, or upgrade to a stable kernel release containing these patches
- Restrict physical and network access to industrial Ethernet ports served by PRU-ICSSG until patches are deployed
Patch Information
The fix defers the descriptor free until after all accesses through the psdata pointer are complete. In emac_rx_packet(), the free is moved into the requeue label so that both early-exit and success paths release the descriptor only after dereferences finish. In emac_rx_packet_zc(), the free is moved to the end of the loop body, after emac_dispatch_skb_zc() returns from invoking emac_rx_timestamp(). The patches are available at the Kernel Git Commit d5827316debc and Kernel Git Commit eb8c426c9803.
Workarounds
- Disable hardware timestamping on affected interfaces using hwstamp_ctl -i <iface> -r 0 -t 0 to avoid the vulnerable code path
- Unload the icssg_prueth module on systems that do not require PRU-ICSSG networking with modprobe -r icssg_prueth
- Apply network segmentation to limit untrusted traffic from reaching affected PRU-ICSSG interfaces
# Verify kernel version and module status
uname -r
lsmod | grep icssg_prueth
# Disable hardware timestamping as a temporary workaround
sudo hwstamp_ctl -i eth0 -r 0 -t 0
# After applying the patched kernel, reboot and confirm
sudo reboot
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
