CVE-2026-43031
Analyzed Analyzed - Analysis Complete
Buffer Overflow in Xilinx AXI Ethernet Driver

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue. The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-14
NVD
CVE-2026-43031
EUVD
EUVD-2026-26630
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.15 (inc) to 6.18.22 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xilinx axienet network driver related to how it handles transmit (TX) packets that span multiple buffer descriptors (scatter-gather). Specifically, the function axienet_free_tx_chain incorrectly sums the lengths of each buffer descriptor's data during transmission. Because the sum is reset on each NAPI poll and packets can complete across multiple polls, some bytes are never credited properly to the Byte Queue Limits (BQL) accounting. This causes BQL to mistakenly believe that some bytes are still in-flight indefinitely, which eventually stalls the transmit queue.

The fix involves using the skb->len (socket buffer length) from the last buffer descriptor of a packet instead of summing the lengths from each descriptor. This approach aligns with how netdev_sent_queue() debits bytes and ensures accurate accounting across polls, preventing the TX queue from stalling.

Impact Analysis

This vulnerability can cause the transmit (TX) queue in the network driver to stall because the Byte Queue Limits (BQL) accounting incorrectly believes that some bytes are still in transmission when they are not. As a result, network transmission performance may degrade or halt, potentially leading to network communication issues or reduced throughput on affected systems using the xilinx axienet driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart