HIGH Published 2026-04-24

lan966x FDMA Buffer UAF

CVE-2026-31644

CVSS 7.8 / 10.0 NVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

KernelScan AI7.8HIGH

01Description

In the Linux kernel, the following vulnerability has been resolved: net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() When lan966x_fdma_reload() fails to allocate new RX buffers, the restore path restarts DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). Since page_pool_put_full_page() can release pages back to the buddy allocator, the hardware may DMA into memory now owned by other kernel subsystems. Additionally, on the restore path, the newly created page pool (if allocation partially succeeded) is overwritten without being destroyed, leaking it. Fix both issues by deferring the release of old pages until after the new allocation succeeds. Save the old page array before the allocation so old pages can be freed on the success path. On the failure path, the old descriptors, pages and page pool are all still valid, making the restore safe. Also ensure the restore path re-enables NAPI and wakes the netdev, matching the success path.

02KernelScan AI Analysis

Engine v0.2.0

Risk summary

A use-after-free vulnerability in the LAN966X Ethernet driver allows hardware DMA operations to write into freed memory pages that may have been reallocated to other kernel subsystems. This can lead to memory corruption, system crashes, or potential privilege escalation. The issue occurs when network buffer reallocation fails during interface reconfiguration, requiring administrative privileges to trigger.

Affecteddrivers/net/ethernet/microchip/lan966x/lan966x_fdma.c

Vulnerability analysis

Root Cause: In lan966x_fdma_reload(), when new RX buffer allocation fails, the restore path attempts to restart DMA using old descriptors whose pages were already freed via lan966x_fdma_rx_free_pages(). The pages are released back to the buddy allocator through page_pool_put_full_page(), making them available for reuse by other kernel subsystems while the hardware may still DMA into them.

Attack Surface: Local attack surface requiring privileged access to trigger network interface reconfiguration (MTU changes). The vulnerability occurs during network buffer reallocation operations, typically triggered by administrative network configuration changes.

Fix Mechanism: The fix defers the release of old pages until after new allocation succeeds. It saves the old page array before allocation, only freeing old pages on the success path. On failure, old descriptors, pages and page pool remain valid for safe restore. The patch also fixes a page pool leak by ensuring proper cleanup and adds missing NAPI re-enable and netdev wake calls on the restore path.

03Fix Versions

Branch	Fixed in	Patch commit
6.12	6.12.82	`691082c0b93c`
6.18	6.18.23	`92a673019943`
6.19	6.19.13	`9950e9199b3d`
mainline	7.0	`59c3d55a946c`