UFN in Linux Kernel TI icssg-prueth: CPPI Desc Free Before Timestamp Access
CVE-2026-31501 Published on April 22, 2026
net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
In the Linux kernel, the following vulnerability has been resolved:
net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path
cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor.
In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is
freed via k3_cppi_desc_pool_free() before the psdata pointer is used
by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1].
This constitutes a use-after-free on every received packet that goes
through the timestamp path.
Defer the descriptor free until after all accesses through the psdata
pointer are complete. For emac_rx_packet(), move the free into the
requeue label so both early-exit and success paths free the descriptor
after all accesses are done. For emac_rx_packet_zc(), move the free to
the end of the loop body after emac_dispatch_skb_zc() (which calls
emac_rx_timestamp()) has returned.
Products Associated with CVE-2026-31501
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version 46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 and below d5827316debcb677679bb014885d7be92c410e11 is affected.
- Version 46eeb90f03e03d5e8f7f9f1f0eb0792104fc5f86 and below eb8c426c9803beb171f89d15fea17505eb517714 is affected.
- Version 6.15 is affected.
- Before 6.15 is unaffected.
- Version 6.19.11, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.