CVE-2026-31563 Overview
A race condition vulnerability exists in the Linux kernel's macb network driver related to improper handling of TX socket buffer (SKB) freeing operations. The vulnerability occurs when napi_consume_skb() is called in an IRQ-disabled context, which is not the intended usage of this function. This issue was introduced after commit 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking"), which changed TX SKB freeing to be performed with IRQs disabled.
Critical Impact
This vulnerability can cause kernel warnings and system instability on affected Linux systems using the macb network driver, potentially leading to denial of service conditions on embedded platforms like Xilinx ZynqMP.
Affected Products
- Linux Kernel version 6.17
- Linux Kernel versions 7.0-rc1 through 7.0-rc7
- Systems using the macb network driver (commonly found on ARM-based embedded platforms)
Discovery Timeline
- April 24, 2026 - CVE CVE-2026-31563 published to NVD
- April 27, 2026 - Last updated in NVD database
Technical Details for CVE-2026-31563
Vulnerability Analysis
The vulnerability is a race condition in the Linux kernel's macb (Cadence Ethernet MAC) network driver. The root of the issue lies in the interaction between interrupt handling, locking mechanisms, and SKB memory management.
After commit 6bc8a5098bf4 modified the TX path locking behavior, the macb_tx_poll() function began freeing TX SKBs while holding a spinlock with IRQs disabled. This created a problematic situation where napi_consume_skb() was being invoked in an inappropriate context.
When napi_consume_skb() attempts to defer SKB freeing by calling skb_attempt_defer_free(), it may try to enable bottom halves via local_bh_enable(). However, this operation is invalid when hardirqs are already disabled, triggering a kernel warning at kernel/softirq.c:430 in __local_bh_enable_ip().
The call trace shows the problematic execution path: macb_tx_poll → napi_consume_skb → skb_attempt_defer_free → local_bh_enable → __local_bh_enable_ip, where the final function detects the invalid IRQ state and emits a warning.
Root Cause
The root cause is an API misuse where napi_consume_skb() was called in an IRQ-disabled context after the TX path locking changes. The napi_consume_skb() function has internal logic that may call local_bh_enable(), which is explicitly not allowed when hardirqs are disabled. The fix replaces napi_consume_skb() with dev_consume_skb_any(), which is designed to handle SKB freeing regardless of the current IRQ context.
Attack Vector
This vulnerability is triggered locally through normal network operations on systems using the macb network driver. While classified as a network attack vector due to the networking subsystem involvement, exploitation primarily requires the ability to generate network traffic that exercises the TX path of the affected driver.
An attacker with network access to an affected system could potentially:
- Send traffic patterns that maximize TX buffer consumption
- Trigger the race condition repeatedly to cause system instability
- Exploit the resulting kernel warnings to cause denial of service through log flooding or watchdog timeouts
The vulnerability primarily affects embedded systems using Cadence/Synopsys GEM Ethernet controllers, commonly found on platforms like Xilinx ZynqMP, Microchip SAMA5, and similar ARM-based SoCs.
Detection Methods for CVE-2026-31563
Indicators of Compromise
- Kernel warning messages containing __local_bh_enable_ip+0x174/0x188 in system logs
- Call traces showing macb_tx_poll → napi_consume_skb → skb_attempt_defer_free → local_bh_enable
- System log entries indicating softirq/hardirq state violations with the message WARNING: kernel/softirq.c:430
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for warnings related to __local_bh_enable_ip and the macb driver
- Implement alerting for unexpected kernel call traces involving the network subsystem and IRQ handling
- Deploy kernel tracing tools to monitor for improper IRQ state transitions in the macb TX path
Monitoring Recommendations
- Configure log aggregation to capture and alert on kernel warnings from affected systems
- Use performance monitoring to detect unusual network driver behavior or increased system instability
- Monitor for elevated kernel warning rates that may indicate exploitation attempts
How to Mitigate CVE-2026-31563
Immediate Actions Required
- Apply the kernel patches from the stable kernel branches immediately on affected systems
- Prioritize patching for systems using the macb network driver, particularly ARM-based embedded platforms
- Consider temporarily reducing network load on critical affected systems until patches can be applied
Patch Information
The Linux kernel maintainers have released patches that replace napi_consume_skb() with dev_consume_skb_any() for freeing TX SKBs in the macb driver. This ensures proper SKB handling regardless of the IRQ context.
Multiple patch commits are available for different stable kernel branches:
- Kernel Git Commit 647b8a2
- Kernel Git Commit 78c8b09
- Kernel Git Commit 92e7081
- Kernel Git Commit 984350b
- Kernel Git Commit ca4d05a
- Kernel Git Commit f4bc913
Workarounds
- If patching is not immediately possible, consider using an alternative network driver if available for your hardware
- Reduce network traffic load to minimize the frequency of TX operations triggering the vulnerable code path
- Monitor affected systems closely for kernel warnings and prepare for rapid response if instability occurs
# Check if your system uses the macb driver
lsmod | grep macb
# Check current kernel version
uname -r
# Review kernel logs for related warnings
dmesg | grep -E "(macb|__local_bh_enable_ip|softirq)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
