CVE-2026-45940
Awaiting Analysis Awaiting Analysis - Queue
Linux kernel GMAC4 split header oops fix

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 ... x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc ... To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45940
EUVD
EUVD-2026-32224
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's stmmac network driver when the split header feature is enabled for GMAC4 hardware. In rare cases, the hardware does not properly fill the second buffer (buf2) of the first descriptor with payload data. Because of this, the driver incorrectly assumes buf2 is always fully filled unless it is the last descriptor. This leads to an incorrect calculation of the length of buf2 in the second descriptor, which causes a kernel oops (a crash due to an invalid memory access).

The issue is fixed by using the PL bit-field in the RDES3 register for all descriptors, regardless of whether they are the last descriptor or not, ensuring correct length calculation and preventing the oops.

Impact Analysis

This vulnerability can cause the Linux kernel to crash (kernel oops) when processing network packets with the stmmac driver on affected hardware with split header enabled. Such crashes can lead to system instability, denial of service, or unexpected reboots, potentially disrupting network connectivity and services running on the affected system.

Mitigation Strategies

The vulnerability is fixed by using the PL bit-field in the RDES3 register for all descriptors, whether it is the last descriptor or not. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45940. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart