CRITICAL Published 2026-04-22

icssg CPPI Descriptor UAF

CVE-2026-31501

CVSS 9.8 / 10.0 NVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

KernelScan AI9.8CRITICAL

01Description

In the Linux kernel, the following vulnerability has been resolved: net: ti: icssg-prueth: fix use-after-free of CPPI descriptor in RX path cppi5_hdesc_get_psdata() returns a pointer into the CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is used by emac_rx_timestamp(), which dereferences psdata[0] and psdata[1]. This constitutes a use-after-free on every received packet that goes through the timestamp path. Defer the descriptor free until after all accesses through the psdata pointer are complete. For emac_rx_packet(), move the free into the requeue label so both early-exit and success paths free the descriptor after all accesses are done. For emac_rx_packet_zc(), move the free to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A critical use-after-free vulnerability in the TI ICSSG PRU Ethernet driver allows memory corruption on every timestamped network packet. This can lead to system crashes, memory corruption, or potentially code execution when processing network traffic on affected TI hardware platforms.

Affecteddrivers/net/ethernet/ti/icssg/icssg_common.c

Vulnerability analysis

Root Cause: In the TI ICSSG PRU Ethernet driver's RX packet processing functions (emac_rx_packet() and emac_rx_packet_zc()), the CPPI descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer (obtained from cppi5_hdesc_get_psdata()) is used by emac_rx_timestamp(). Since psdata points into the freed descriptor memory, accessing psdata[0] and psdata[1] in emac_rx_timestamp() constitutes a use-after-free vulnerability that occurs on every received packet going through the timestamp path.

Attack Surface: This vulnerability affects network packet reception on TI ICSSG PRU Ethernet interfaces. It can be triggered by any network packet that goes through the timestamp processing path, making it exploitable from the network without requiring local access or special privileges. The vulnerability was introduced when page_pool API support was added for RX buffer allocation.

Fix Mechanism: The fix reorders the operations to defer the descriptor free until after all accesses through the psdata pointer are complete. In emac_rx_packet(), the k3_cppi_desc_pool_free() call is moved to the 'requeue' label so both early-exit and success paths free the descriptor after timestamp processing. In emac_rx_packet_zc(), the free is moved to the end of the loop body after emac_dispatch_skb_zc() (which calls emac_rx_timestamp()) has returned.

03Fix Versions

Branch	Fixed in	Patch commit
6.19	6.19.11	`d5827316debc`
mainline	7.0	`eb8c426c9803`