CVE-2026-31505
Out-of-Bounds Write in Linux iavf Driver's ethtool Stats Functions
Publication date: 2026-04-22
Last updated on: 2026-04-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 5.17 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.13 (inc) to 6.18.21 (exc) |
| linux | linux_kernel | From 6.19 (inc) to 6.19.11 (exc) |
| linux | linux_kernel | From 5.17.1 (inc) to 6.12.80 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided CVE description does not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's iavf driver, specifically in the function iavf_get_ethtool_stats(). The issue arises because the driver incorrectly uses the variable real_num_tx_queues for ETH_SS_STATS, which can change at runtime, instead of using the immutable num_tx_queues. Additionally, different functions use inconsistent queue count variables (num_active_queues, real_num_tx_queues), leading to out-of-bounds writes when commands "ethtool -L" and "ethtool -S" are run simultaneously.
The problem occurs when the number of transmit queues changes (for example, from 1 to 8), and threads accessing these variables are scheduled in an order that causes a buffer to be allocated for fewer queues than are actually accessed, resulting in memory corruption due to out-of-bounds writes.
The fix involves using the immutable num_tx_queues variable consistently in all related functions to prevent this out-of-bounds memory access.
How can this vulnerability impact me? :
This vulnerability can lead to out-of-bounds memory writes in the Linux kernel's iavf driver, which may cause system instability, crashes, or potential kernel memory corruption.
Such memory corruption could be exploited to cause denial of service or potentially escalate privileges, depending on the context and attacker capabilities.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves out-of-bounds writes triggered by simultaneous use of "ethtool -L" and "ethtool -S" commands on the iavf driver.
To detect the vulnerability, you can monitor for crashes or kernel warnings related to KASAN (Kernel Address Sanitizer) reports involving iavf_get_ethtool_stats or related functions.
Specifically, running the following commands simultaneously may trigger the issue if the system is vulnerable:
- ethtool -L <interface>
- ethtool -S <interface>
Observing kernel logs (e.g., via dmesg) for KASAN out-of-bounds write errors related to iavf can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by using the immutable num_tx_queues value consistently in the iavf driver functions to avoid out-of-bounds writes.
Immediate mitigation steps include:
- Update the Linux kernel to a version that includes the fix for this vulnerability.
- Avoid running "ethtool -L" and "ethtool -S" commands simultaneously on interfaces using the iavf driver until the fix is applied.
- Monitor kernel logs for any KASAN reports or crashes related to iavf and take appropriate action such as rebooting or applying patches.