CVE-2026-31501
Use-After-Free in Linux Kernel ICSSG PRU Ethernet RX Path
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.15 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.15.1 (inc) to 6.19.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free issue in the Linux kernel's network driver for the TI ICSSG PRU Ethernet (icssg-prueth). Specifically, a pointer to a CPPI descriptor's data (psdata) is accessed after the descriptor has already been freed. The functions emac_rx_packet() and emac_rx_packet_zc() free the descriptor too early, before the psdata pointer is used by emac_rx_timestamp(), which dereferences elements of psdata. This results in accessing memory that has been freed, which is unsafe and can cause undefined behavior.
The fix involves deferring the freeing of the descriptor until after all accesses through the psdata pointer are complete, ensuring the pointer is not used after the memory is freed.
How can this vulnerability impact me? :
A use-after-free vulnerability can lead to undefined behavior such as system crashes, data corruption, or potential security risks like arbitrary code execution if exploited. In this case, since the vulnerability occurs in the network driver receiving packets, it could be triggered by network traffic, potentially allowing an attacker to cause denial of service or execute malicious code within the kernel context.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is a use-after-free issue in the Linux kernel's ti: icssg-prueth driver related to CPPI descriptor handling in the RX path.
To mitigate this vulnerability, update your Linux kernel to a version where this issue is fixed. The fix involves deferring the freeing of the CPPI descriptor until after all accesses through the psdata pointer are complete.
Specifically, the fix moves the descriptor free operation to occur after the timestamp data is accessed, ensuring no use-after-free occurs.
Therefore, applying the vendor or distribution kernel update that includes this patch is the immediate recommended step.