CVE-2026-31736 Overview
CVE-2026-31736 is a NULL pointer dereference [CWE-476] in the Linux kernel's MediaTek PPE (Packet Processing Engine) Ethernet driver (net/ethernet/mtk_ppe). When gmac0 is disabled, the precheck for a valid ingress device dereferences eth->netdev[0], which is NULL, and then accesses netdev_ops. The result is a kernel crash and a denial of service on affected systems. The flaw requires only local, low-privileged access to trigger.
Critical Impact
A local attacker on a system with gmac0 disabled can crash the kernel by causing the mtk_ppe ingress check to dereference a NULL net_device, producing a system-wide denial of service.
Affected Products
- Linux kernel mainline including release candidates 7.0-rc1 through 7.0-rc6
- Stable branches receiving fixes via commits 0b832aa, 5dff799, 7b2380f, and 976ff48
- Systems running the MediaTek Ethernet driver (mtk_eth_soc / mtk_ppe) with gmac0 disabled
Discovery Timeline
- 2026-05-01 - CVE-2026-31736 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31736
Vulnerability Analysis
The MediaTek PPE driver offloads flow processing for the SoC's Ethernet MACs. Before accepting an offload candidate, the driver validates that the ingress net_device belongs to one of its managed interfaces. The previous implementation read eth->netdev[0] directly and dereferenced its netdev_ops to perform that comparison. On platforms where gmac0 is not enabled in the device tree, eth->netdev[0] remains NULL. Any subsequent path that triggers the ingress precheck dereferences a NULL pointer in kernel context, leading to an oops and loss of availability. The vulnerability is locally triggerable by traffic or configuration that exercises the offload path, and it does not expose data confidentiality or integrity.
Root Cause
The driver assumed netdev[0] was always populated. With gmac0 disabled, that assumption fails. The fix iterates the array of mtk_ethnet_device entries and matches the ingress device against any populated entry instead of trusting index zero.
Attack Vector
Exploitation requires local access on a system using the MediaTek Ethernet driver with gmac0 disabled. A low-privileged user or an unprivileged process able to direct traffic through the offload path can reach the vulnerable precheck. The outcome is limited to a kernel crash and reboot loop, not code execution or privilege escalation. See the upstream patches: Kernel Git Commit 0b832aa, Kernel Git Commit 5dff799, Kernel Git Commit 7b2380f, and Kernel Git Commit 976ff48.
Detection Methods for CVE-2026-31736
Indicators of Compromise
- Kernel oops messages referencing mtk_ppe, mtk_eth_soc, or a NULL pointer dereference at addresses near the netdev_ops offset.
- Unexpected device reboots on MediaTek-based hardware shortly after network offload activity.
- dmesg traces showing a fault in the ingress device validation path of the MediaTek PPE driver.
Detection Strategies
- Inventory Linux hosts running the MediaTek Ethernet driver and check whether gmac0 is disabled in the device tree or boot configuration.
- Compare running kernel versions against the fixed commits in stable branches to identify unpatched systems.
- Correlate kernel panics on MediaTek SoCs with offload feature usage to surface likely instances of the bug.
Monitoring Recommendations
- Forward dmesg and kern.log to a central log platform and alert on BUG: unable to handle and Unable to handle kernel NULL pointer events.
- Monitor host availability and uptime metrics for MediaTek-based appliances and routers.
- Track kernel package versions across the fleet to confirm patch deployment progress.
How to Mitigate CVE-2026-31736
Immediate Actions Required
- Apply the upstream stable kernel updates that include the mtk_ppe ingress check fix.
- On systems where patching is delayed, restrict local access to trusted users to limit who can exercise the offload path.
- Audit device tree configurations to confirm whether gmac0 is disabled and prioritize patching those systems.
Patch Information
The issue is resolved by upstream Linux kernel commits 0b832aa, 5dff799, 7b2380f, and 976ff48. The patch replaces the direct eth->netdev[0] access with a loop that checks each mtk_ethnet_device against the ingress device's netdev_ops. Rebuild and deploy the kernel from a stable branch that contains one of these commits, or update through the distribution package channel once available.
Workarounds
- Enable gmac0 in the device tree where hardware permits, which removes the NULL condition that triggers the dereference.
- Disable hardware flow offload features that exercise the mtk_ppe ingress path until the kernel is patched.
- Limit shell and network configuration privileges on affected devices to reduce the local attack surface.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
