CVE-2026-31395
- Source
- https://cve.org/CVERecord?id=CVE-2026-31395
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31395.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-31395
- Downstream
- Related
- Published
- 2026-04-03T15:15:59.590Z
- Modified
- 2026-06-03T08:44:17.234218835Z
- Summary
- bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bnxten: fix OOB access in DBGBUF_PRODUCER async event handler
The ASYNCEVENTCMPLEVENTIDDBGBUFPRODUCER handler in bnxtasynceventprocess() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation.
The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory.
The bnxtbstracecheckwrap() call then dereferences bstrace->magicbyte and writes to bstrace->lastoffset and bs_trace->wrapped, leading to kernel memory corruption or a crash.
Fix by adding a bounds check and defining BNXTTRACEMAX as DBGLOGBUFFERFLUSHREQTYPEERRQPCTRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31395.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8
- https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3
- https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31395.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-31395
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git