CVE-2026-31658 Overview
A memory leak vulnerability has been identified in the Linux kernel's Altera Triple-Speed Ethernet (TSE) network driver. The flaw exists in the tse_start_xmit() function, where a failure in dma_map_single() causes the function to return NETDEV_TX_OK without properly freeing the associated socket buffer (skb). Since NETDEV_TX_OK signals to the network stack that the packet was successfully consumed, the skb is never released, resulting in memory leakage on every DMA mapping failure.
Critical Impact
Repeated DMA mapping failures can lead to kernel memory exhaustion and system denial of service, affecting availability of systems using Altera TSE network interfaces.
Affected Products
- Linux Kernel versions from 3.15 through affected stable branches
- Linux Kernel 7.0 release candidates (rc1 through rc7)
- Systems utilizing Altera Triple-Speed Ethernet network controllers
Discovery Timeline
- 2026-04-24 - CVE-2026-31658 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-31658
Vulnerability Analysis
This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). The flaw occurs in the Altera TSE network driver's transmit path, specifically within the tse_start_xmit() function responsible for initiating packet transmission.
When network packets are transmitted, the driver must map the socket buffer to a DMA-accessible memory region using dma_map_single(). Under normal operation, this mapping allows the network hardware to directly access the packet data for transmission. However, DMA mapping can fail due to various conditions including IOMMU restrictions, memory fragmentation, or resource exhaustion.
The vulnerable code path returns NETDEV_TX_OK after a DMA mapping failure without first freeing the skb. The network stack interprets NETDEV_TX_OK as confirmation that the driver has taken ownership of the packet and will handle its lifecycle. Consequently, the stack does not attempt to free or requeue the packet, leaving the memory allocated but unreferenced.
Root Cause
The root cause is improper error handling in the tse_start_xmit() function. When dma_map_single() returns an invalid DMA address (checked via dma_mapping_error()), the function should free the skb using dev_kfree_skb_any() before returning. The missing cleanup call causes the socket buffer to leak, with the memory remaining allocated until the system is rebooted.
Attack Vector
This vulnerability requires local access to exploit. An attacker with the ability to generate network traffic through an affected Altera TSE interface could potentially trigger repeated DMA mapping failures under specific system conditions. While this attack requires privileged access and specific hardware configuration, sustained exploitation could exhaust kernel memory resources, leading to system instability or denial of service. The attack is limited to systems with Altera TSE network hardware and does not enable information disclosure or code execution.
The fix involves adding a dev_kfree_skb_any() call before returning NETDEV_TX_OK in the error handling path, ensuring proper memory cleanup when DMA mapping fails.
Detection Methods for CVE-2026-31658
Indicators of Compromise
- Unexplained growth in kernel memory usage (slab allocations) over time on systems with Altera TSE network interfaces
- Increasing skbuff_head_cache or skbuff_fclone_cache slab entries without corresponding network traffic justification
- Kernel warnings or OOM (Out of Memory) killer activation on systems with Altera TSE drivers loaded
Detection Strategies
- Monitor /proc/slabinfo for abnormal growth in skbuff-related slab caches
- Use dmesg to review kernel logs for DMA mapping errors from the altera_tse driver module
- Implement memory usage trending alerts for systems running the affected driver
Monitoring Recommendations
- Deploy kernel memory monitoring with alerting on sustained growth patterns in network buffer allocations
- Configure SentinelOne Singularity agent to monitor kernel module behavior and memory anomalies
- Enable kernel tracing for DMA mapping failures on affected systems to identify potential exploitation attempts
How to Mitigate CVE-2026-31658
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix for CVE-2026-31658
- If immediate patching is not possible, consider temporarily disabling Altera TSE network interfaces on critical systems
- Monitor affected systems for signs of memory exhaustion until patches can be applied
- Review kernel logs for existing DMA mapping errors that may indicate ongoing memory leakage
Patch Information
The Linux kernel maintainers have released patches across multiple stable branches. The fix adds proper skb cleanup by calling dev_kfree_skb_any() before returning from the error path in tse_start_xmit(). Patches are available from the following kernel git commits:
- Kernel Git Commit 2eb9d67
- Kernel Git Commit 3aca300
- Kernel Git Commit 60f462c
- Kernel Git Commit 6dede39
- Kernel Git Commit 9f3ec44
- Kernel Git Commit ae2cd46
- Kernel Git Commit cb1d318
- Kernel Git Commit d5ec406
Workarounds
- Reduce network load on affected interfaces to minimize the frequency of potential DMA mapping failures
- Implement memory usage monitoring and automatic service restart procedures if memory thresholds are exceeded
- Consider using alternative network drivers or interfaces if available until patching is complete
# Check if the Altera TSE driver is loaded
lsmod | grep altera_tse
# Monitor kernel slab cache for memory leak indicators
watch -n 5 'cat /proc/slabinfo | grep -E "skbuff|kmalloc"'
# Check current kernel version
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
