CVE-2026-31644 Overview
CVE-2026-31644 is a use-after-free vulnerability in the Linux kernel's lan966x network driver. The flaw resides in the lan966x_fdma_reload() function, which manages Frame Direct Memory Access (FDMA) buffer reallocation for Microchip LAN966x Ethernet switches. When the function fails to allocate new RX buffers, the restore path restarts DMA using descriptors whose backing pages were already released through lan966x_fdma_rx_free_pages(). This allows hardware to perform DMA into memory potentially owned by other kernel subsystems. A secondary memory leak occurs when a partially allocated page pool is overwritten without being destroyed. The vulnerability is tracked under [CWE-416: Use After Free].
Critical Impact
A local attacker with low privileges can trigger memory corruption through DMA into freed pages, leading to kernel-level confidentiality, integrity, and availability compromise.
Affected Products
- Linux Kernel 6.12 (release)
- Linux Kernel 7.0-rc1 through 7.0-rc7
- Microchip LAN966x Ethernet switch driver (lan966x)
Discovery Timeline
- 2026-04-24 - CVE-2026-31644 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31644
Vulnerability Analysis
The lan966x driver implements FDMA-based packet reception using a ring of descriptors backed by pages allocated from a page_pool. The lan966x_fdma_reload() function reallocates these buffers when the maximum transmission unit (MTU) or related parameters change. The function follows a sequence: stop DMA, free existing pages via lan966x_fdma_rx_free_pages(), allocate a new page pool, then start DMA with new descriptors.
When new buffer allocation fails partway through, the restore path attempts to resume operations using the original descriptor ring. However, the original pages have already been returned to the page_pool through page_pool_put_full_page(), which can release them back to the buddy allocator. Restarting DMA against these stale descriptors causes the hardware to write packet data into memory that may now belong to unrelated kernel subsystems. This produces silent memory corruption with kernel-level consequences. A separate memory leak also occurs because a partially constructed page pool is overwritten by the pointer reset, leaving no reference for cleanup.
Root Cause
The root cause is incorrect ordering of resource release relative to failure handling. The driver releases the old RX pages before confirming that replacement buffers can be allocated, eliminating any safe rollback target. There is no transactional boundary separating the destructive cleanup from the speculative allocation.
Attack Vector
Exploitation requires local access with privileges sufficient to trigger MTU changes or interface reconfiguration on a lan966x-driven interface. An attacker who can induce repeated allocation failures, for example through memory pressure, can force the restore path to execute and corrupt kernel memory through hardware DMA. See the Kernel.org commit log for technical details of the fix.
The patch defers release of old pages until after new allocation succeeds, saves the old page array prior to allocation, and ensures the failure path retains valid descriptors, pages, and page pool. The fix also re-enables NAPI and wakes the netdev on the restore path.
Detection Methods for CVE-2026-31644
Indicators of Compromise
- Kernel oops or panic messages referencing lan966x_fdma_reload, page_pool, or DMA-related stack frames
- KASAN (Kernel Address Sanitizer) reports flagging use-after-free in lan966x driver paths
- Unexpected memory corruption symptoms following interface reconfiguration on systems using Microchip LAN966x hardware
- dmesg entries showing failed RX buffer allocations followed by driver restore activity
Detection Strategies
- Enable KASAN on kernels running affected versions in test environments to surface the use-after-free deterministically
- Monitor kernel logs for lan966x driver errors correlated with MTU changes or interface reconfiguration events
- Inventory systems running kernel 6.12 or 7.0-rc1 through 7.0-rc7 with LAN966x hardware to identify exposure
Monitoring Recommendations
- Track netdev configuration changes on embedded and industrial systems using LAN966x-based switches
- Alert on repeated kernel allocation failures coinciding with network driver activity
- Correlate kernel crash telemetry with installed kernel versions to identify affected hosts
How to Mitigate CVE-2026-31644
Immediate Actions Required
- Update to a Linux kernel build containing one of the upstream fix commits: 59c3d55a946c, 691082c0b93c, 92a673019943, or 9950e9199b3d
- Identify all systems using the lan966x driver and prioritize patching based on exposure to untrusted local users
- Restrict privileged network configuration operations to trusted accounts on affected hosts until patched
Patch Information
The fix is available in the mainline Linux kernel through four upstream commits referenced in the Kernel.org stable tree. The patch reorders allocation and release operations so old pages, descriptors, and the page pool remain valid until new buffers are confirmed allocated. Distribution kernels should pull the corresponding backport once available.
Workarounds
- Avoid MTU changes and interface reconfiguration on lan966x interfaces while the system is under memory pressure
- Restrict CAP_NET_ADMIN capability to trusted users to limit who can trigger the vulnerable code path
- On systems where the lan966x driver is not required, blacklist the module to eliminate the attack surface
# Blacklist the lan966x module if not required
echo "blacklist lan966x_switch" | sudo tee /etc/modprobe.d/blacklist-lan966x.conf
sudo update-initramfs -u
# Verify kernel version after patching
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
