CVE-2026-31505 Overview
CVE-2026-31505 is an out-of-bounds write vulnerability [CWE-787] in the Intel Adaptive Virtual Function (iavf) network driver in the Linux kernel. The flaw resides in iavf_get_ethtool_stats(), which uses inconsistent queue counters when reporting ethtool statistics. A race between concurrent ethtool -L (set channels) and ethtool -S (get statistics) operations can cause the function to write past the allocated buffer. KASAN reports confirm a vmalloc out-of-bounds write of 8 bytes, which can corrupt adjacent kernel memory. The issue affects Linux kernel versions from 5.17 through 7.0-rc7 prior to the corrective commits.
Critical Impact
A local user with permission to invoke ethtool against an iavf-managed interface can trigger kernel memory corruption, leading to denial of service or potential local privilege escalation.
Affected Products
- Linux kernel iavf driver (Intel Adaptive Virtual Function)
- Linux kernel 5.17 and later branches up to 7.0-rc7
- Distributions shipping unpatched stable kernels prior to the fix commits
Discovery Timeline
- 2026-04-22 - CVE-2026-31505 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-31505
Vulnerability Analysis
The iavf driver maintains multiple counters describing transmit queue counts: num_tx_queues, real_num_tx_queues, and num_active_queues. The bug stems from inconsistent use of these counters across the ethtool statistics path. iavf_get_sset_count() and iavf_get_stat_strings() rely on real_num_tx_queues to compute the size of the statistics buffer, while iavf_get_ethtool_stats() iterates using num_active_queues.
When channel reconfiguration runs concurrently with statistics retrieval, num_active_queues can be updated before real_num_tx_queues. The buffer is then sized for the smaller count but written using the larger one. The KASAN trace shows the write occurring in iavf_add_one_ethtool_stat+0x200/0x270, reached via the ioctl path through sock_ioctl and __dev_ethtool.
Root Cause
The root cause is a synchronization gap between iavf_alloc_queues(), which updates num_active_queues immediately, and iavf_finish_config(), which updates real_num_tx_queues later in a deferred work item. Any ethtool statistics request scheduled in this window observes mismatched values. The upstream fix replaces real_num_tx_queues and num_active_queues with the immutable num_tx_queues across iavf_get_sset_count(), iavf_get_stat_strings(), and iavf_get_ethtool_stats().
Attack Vector
Exploitation requires local access and the ability to invoke ethtool ioctls on an iavf-managed network interface. An attacker scripts concurrent ethtool -L <iface> combined N and ethtool -S <iface> calls to race the queue reconfiguration against statistics collection. Successful exploitation writes attacker-influenced 64-bit values beyond the allocated vmalloc region, corrupting adjacent kernel pages. The Linux kernel exposes ethtool operations to unprivileged users in some configurations via container or virtualization runtimes, broadening the local attack surface.
No public proof-of-concept exploit has been published, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-31505
Indicators of Compromise
- KASAN reports referencing iavf_add_one_ethtool_stat or iavf_get_ethtool_stats with vmalloc-out-of-bounds write classification
- Unexpected kernel oops, panic, or soft lockup messages immediately following ethtool -L or ethtool -S activity on iavf interfaces
- Repeated ethtool ioctl invocations from non-administrative user contexts in audit logs
Detection Strategies
- Enable KASAN on test or canary kernels to surface the out-of-bounds write during fuzzing or routine workload runs
- Monitor auditd for SYSCALL records invoking ioctl against iavf interfaces from unexpected UIDs or container workloads
- Correlate kernel ring buffer messages (dmesg) mentioning iavf with concurrent ethtool command execution captured via process telemetry
Monitoring Recommendations
- Alert on rapid, repeated channel reconfiguration (SIOCETHTOOL with ETHTOOL_SCHANNELS) on the same interface within short intervals
- Track kernel crash dumps and kdump artifacts referencing the iavf module for triage
- Inventory hosts running affected kernel versions with Intel adaptive virtual function NICs, including SR-IOV VFs in virtualized environments
How to Mitigate CVE-2026-31505
Immediate Actions Required
- Apply the upstream stable kernel updates containing commits 1f931dee, bb85741d, fdf902bf, and fecacfc9 from the corresponding stable branches
- Restrict ethtool ioctl access to privileged administrators by enforcing capability boundaries on container and VM workloads
- Rebuild and redeploy custom kernels that include the iavf driver from affected ranges
Patch Information
The fix is distributed through four stable-tree commits referenced in the kernel.org advisories: Kernel Git Commit 1f931dee, Kernel Git Commit bb85741d, Kernel Git Commit fdf902bf, and Kernel Git Commit fecacfc9. The patches replace real_num_tx_queues and num_active_queues with the immutable num_tx_queues in the ethtool statistics path, eliminating the race window.
Workarounds
- Avoid concurrent invocation of ethtool -L and ethtool -S on the same iavf interface until patches are deployed
- Restrict the CAP_NET_ADMIN capability and access to ethtool ioctls to trusted administrators only
- Where feasible, unload the iavf module or switch to alternative network drivers on affected hosts pending patching
# Verify running kernel and iavf module version
uname -r
modinfo iavf | grep -E '^(version|filename):'
# Restrict ethtool to root via sudoers (example)
# Remove any sudo rules that allow unprivileged ethtool execution
sudo visudo -c
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
