CVE-2026-31505 Overview
A critical out-of-bounds write vulnerability has been discovered in the Linux kernel's Intel Adaptive Virtual Function (iavf) driver. The vulnerability exists in the iavf_get_ethtool_stats() function, where inconsistent usage of queue count variables between different functions leads to memory corruption when ethtool operations are performed concurrently.
The iavf driver incorrectly uses real_num_tx_queues for ETH_SS_STATS, but since this value can change at runtime, the driver should use num_tx_queues instead. A race condition occurs when iavf_get_ethtool_stats() uses num_active_queues while iavf_get_sset_count() and iavf_get_stat_strings() use real_num_tx_queues, triggering out-of-bounds writes when ethtool -L and ethtool -S commands are executed simultaneously.
Critical Impact
This vulnerability allows kernel memory corruption through out-of-bounds writes, potentially leading to privilege escalation or denial of service on systems using Intel Adaptive Virtual Function network drivers.
Affected Products
- Linux kernel with iavf (Intel Adaptive Virtual Function) driver
- Systems using Intel Ethernet Controller X710/XXV710/XL710 family with virtual functions
- Virtual machines utilizing Intel SR-IOV virtual function drivers
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-31505 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-31505
Vulnerability Analysis
This vulnerability is an out-of-bounds write flaw caused by a race condition in the iavf network driver. The root of the problem lies in the inconsistent use of queue count variables across multiple ethtool-related functions. When a user changes network interface channels using ethtool -L while simultaneously querying statistics with ethtool -S, a timing window exists where the buffer allocation size does not match the number of queues being accessed.
The issue manifests in a multi-threaded scenario involving three execution paths:
- Thread 1 executing ethtool -L calls iavf_set_channels() which allocates queues and sets num_active_queues to the new value
- Thread 2 handles the work queue and calls iavf_finish_config() to update real_num_tx_queues
- Thread 3 executing ethtool -S allocates a buffer based on real_num_tx_queues (old value) but iterates using num_active_queues (new value)
If Thread 3 is scheduled between Thread 1's queue allocation and Thread 2's configuration update, the driver allocates a buffer for 1 queue but attempts to write statistics for 8 queues, resulting in a vmalloc out-of-bounds write.
Root Cause
The root cause is the use of mutable runtime variables (real_num_tx_queues and num_active_queues) that can change asynchronously between the buffer size calculation and the actual data writes. The iavf_get_sset_count() function uses real_num_tx_queues to determine buffer size, while iavf_get_ethtool_stats() uses num_active_queues to iterate and write statistics. When channel reconfiguration is in progress, these values can differ, causing the write operation to exceed the allocated buffer boundaries.
Attack Vector
The vulnerability can be triggered by any local user with permissions to run ethtool commands on the affected network interface. An attacker could exploit this by:
- Initiating a channel count change on the iavf interface using ethtool -L
- Simultaneously requesting statistics using ethtool -S
- Timing the operations to hit the race window where buffer allocation and data writes use inconsistent queue counts
The KASAN (Kernel Address Sanitizer) output confirms the out-of-bounds write occurs in iavf_add_one_ethtool_stat() at offset 0x80 within a 1-page vmalloc region, indicating an 8-byte write past the allocated buffer boundary.
Detection Methods for CVE-2026-31505
Indicators of Compromise
- Kernel panic or system crashes during ethtool operations on iavf interfaces
- KASAN reports showing vmalloc-out-of-bounds errors in iavf_add_one_ethtool_stat or iavf_get_ethtool_stats functions
- Unexplained memory corruption when using Intel SR-IOV virtual functions
- System log entries containing call traces referencing iavf_get_ethtool_stats with memory access violations
Detection Strategies
- Enable KASAN (Kernel Address Sanitizer) in development or testing environments to detect out-of-bounds memory accesses
- Monitor kernel logs (dmesg) for any iavf driver-related crashes or memory errors
- Implement system monitoring to detect unusual patterns of ethtool commands executed in rapid succession
- Use kernel tracing tools like ftrace or perf to monitor iavf driver function calls during channel reconfiguration
Monitoring Recommendations
- Configure syslog alerting for kernel oops or panic events related to network driver operations
- Monitor for concurrent execution of ethtool -L and ethtool -S commands on the same interface
- Deploy SentinelOne Singularity platform to detect kernel-level anomalies and potential exploitation attempts
- Review audit logs for privilege escalation attempts following network driver errors
How to Mitigate CVE-2026-31505
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the fix for this vulnerability
- Avoid running concurrent ethtool channel and statistics commands on iavf interfaces until patched
- Review systems using Intel SR-IOV virtual functions and prioritize patching for production environments
- Enable KASAN in testing environments to identify any exploitation attempts before production deployment
Patch Information
The Linux kernel maintainers have released patches to address this vulnerability. The fix involves using the immutable num_tx_queues variable in all ethtool-related functions instead of the runtime-mutable real_num_tx_queues and num_active_queues variables.
The following kernel commits contain the fix:
- Kernel Git Commit 1f931dee5b72
- Kernel Git Commit bb85741d2dc2
- Kernel Git Commit fdf902bf86a8
- Kernel Git Commit fecacfc95f19
Workarounds
- Implement access controls to restrict ethtool command execution to trusted administrators only
- Serialize ethtool operations on iavf interfaces using system-level locking mechanisms
- Consider temporarily disabling channel reconfiguration capabilities on production systems until patching is complete
- Use alternative network drivers or physical functions instead of virtual functions where possible
# Restrict ethtool access to root only
chmod 700 /usr/sbin/ethtool
# Monitor for concurrent ethtool operations
auditctl -w /usr/sbin/ethtool -p x -k ethtool_exec
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.


