CVE-2026-31737 Overview
CVE-2026-31737 is a resource management flaw in the Linux kernel's ftgmac100 Ethernet driver. The ftgmac100_alloc_rings() function allocates rx_skbs, tx_skbs, rxdes, txdes, and rx_scratch in stages. On intermediate failures, the function returned -ENOMEM directly without freeing previously allocated resources, leaking kernel memory each time the network device interface failed to open.
The vulnerability is exploitable by a local low-privileged user who can repeatedly trigger interface open failures, resulting in kernel memory exhaustion and a high-availability denial of service condition on affected systems.
Critical Impact
Repeated triggering of the flawed unwind path drains kernel memory and can render the host unresponsive, denying service to all users.
Affected Products
- Linux Kernel (multiple stable branches)
- Linux Kernel 7.0 release candidates rc1 through rc6
- Systems using the Faraday FTGMAC100 Ethernet controller driver
Discovery Timeline
- 2026-05-01 - CVE-2026-31737 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-31737
Vulnerability Analysis
The defect resides in drivers/net/ethernet/faraday/ftgmac100.c within the ftgmac100_alloc_rings() function. The function performs a sequence of allocations to set up the driver's transmit and receive rings. Each allocation step depends on the success of the prior step.
When any allocation past the first succeeded but a later allocation failed, the function returned -ENOMEM directly without releasing the buffers it had already obtained. This leaks rx_skbs, tx_skbs, rxdes, txdes, or rx_scratch depending on which stage failed.
The upstream patch reworks the failure path with staged local unwind labels. Each label frees the resources allocated up to its point in the sequence, in reverse order, before returning the error. This pattern matches standard netdev allocation cleanup conventions.
Root Cause
The root cause is improper error-path cleanup [CWE-noinfo]. The original code conflated separate allocation stages into a single error return, omitting the staged cleanup required for partial-success scenarios. Each open() call that fails mid-allocation permanently consumes kernel memory until reboot.
Attack Vector
Exploitation requires local access with privileges sufficient to bring a network interface up, such as CAP_NET_ADMIN within a namespace or membership in groups permitted to manage networking. An attacker repeatedly issues ip link set <iface> up against an ftgmac100 interface under conditions that cause intermediate allocations to fail, such as memory pressure or fault injection. Each failed attempt leaks ring resources, gradually exhausting kernel memory and degrading availability.
No verified public exploit code is available for this issue. The vulnerability is described in upstream commits referenced in the kernel.org stable tree.
Detection Methods for CVE-2026-31737
Indicators of Compromise
- Repeated ENOMEM returns from ftgmac100_open() in dmesg or journalctl -k output
- Steadily growing Slab and SUnreclaim values in /proc/meminfo correlated with interface open attempts
- Frequent ip link set ... up failures from non-root users on hosts with FTGMAC100 hardware
Detection Strategies
- Monitor kernel ring buffer logs for repeated allocation failure messages originating from the ftgmac100 driver.
- Track per-process syscall patterns invoking SIOCSIFFLAGS or netlink RTM_NEWLINK against FTGMAC100 interfaces.
- Baseline kmalloc and slab consumption on systems using Faraday network controllers and alert on sustained upward trends.
Monitoring Recommendations
- Enable kernel auditd rules for network configuration changes and correlate with memory pressure events.
- Forward /var/log/kern.log and slab statistics to a centralized log platform for trend analysis.
- Set thresholds on unreclaimable slab growth rates to flag potential kernel memory exhaustion early.
How to Mitigate CVE-2026-31737
Immediate Actions Required
- Apply the upstream stable kernel patches referenced by commits 184b3a5, 78da433, 82f8611, 8351d18, 8a71911, a7e1bf3, c0fd0fe, and d452300.
- Restrict the CAP_NET_ADMIN capability and netlink interface configuration rights to trusted administrators only.
- Reboot affected hosts after patching to clear any leaked kernel memory accumulated prior to the fix.
Patch Information
The fix is committed across multiple stable branches of the Linux kernel. Refer to the upstream commits for branch-specific backports: Kernel Commit 184b3a5, Kernel Commit 78da433, Kernel Commit 82f8611, Kernel Commit 8351d18, Kernel Commit 8a71911, Kernel Commit a7e1bf3, Kernel Commit c0fd0fe, and Kernel Commit d452300. Distribution-provided kernels should be updated through the vendor's package manager once backports are released.
Workarounds
- Where patching is not immediately possible, blacklist the ftgmac100 module on hosts that do not require Faraday Ethernet support using /etc/modprobe.d/.
- Limit unprivileged user namespaces by setting kernel.unprivileged_userns_clone=0 to reduce the local attack surface for CAP_NET_ADMIN abuse.
- Constrain interface management to administrators by tightening Polkit and sudoers rules covering ip, ifconfig, and netlink helpers.
# Example: blacklist ftgmac100 where the driver is not required
echo 'blacklist ftgmac100' | sudo tee /etc/modprobe.d/blacklist-ftgmac100.conf
sudo depmod -a
# Restrict unprivileged user namespace creation
echo 'kernel.unprivileged_userns_clone=0' | sudo tee /etc/sysctl.d/99-userns.conf
sudo sysctl --system
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
