CVE-2026-43031
Analyzed Analyzed - Analysis Complete

Buffer Overflow in Xilinx AXI Ethernet Driver

Vulnerability report for CVE-2026-43031, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-01

Last updated on: 2026-05-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue. The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-01
Last Modified
2026-05-08
Generated
2026-07-06
AI Q&A
2026-05-01
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.12 (exc)
linux linux_kernel From 6.15 (inc) to 6.18.22 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's xilinx axienet network driver related to how it handles transmit (TX) packets that span multiple buffer descriptors (scatter-gather). Specifically, the function axienet_free_tx_chain incorrectly sums the lengths of each buffer descriptor's data during transmission. Because the sum is reset on each NAPI poll and packets can complete across multiple polls, some bytes are never credited properly to the Byte Queue Limits (BQL) accounting. This causes BQL to mistakenly believe that some bytes are still in-flight indefinitely, which eventually stalls the transmit queue.

The fix involves using the skb->len (socket buffer length) from the last buffer descriptor of a packet instead of summing the lengths from each descriptor. This approach aligns with how netdev_sent_queue() debits bytes and ensures accurate accounting across polls, preventing the TX queue from stalling.

Impact Analysis

This vulnerability can cause the transmit (TX) queue in the network driver to stall because the Byte Queue Limits (BQL) accounting incorrectly believes that some bytes are still in transmission when they are not. As a result, network transmission performance may degrade or halt, potentially leading to network communication issues or reduced throughput on affected systems using the xilinx axienet driver.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart