CVE-2026-31395

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The ASYNC EVENT CMPL EVENT ID DBG BUF PRODUCER handler in bnxt async event process() uses a firmware-supplied 'type' field directly as an index into bp->bs trace[] without bounds validation. The 'type' field, a 16-bit value from DMA-mapped completion ring memory written by the NIC, can be manipulated to cause an out-of-bounds access into kernel heap memory. This can lead to kernel memory corruption or a crash due to dereferencing bs trace->magic byte and writing to bs trace->last offset and bs trace->wrapped.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.