CVE-2026-31395

In the Linux kernel, the following vulnerability has been resolved:

bnxt en: fix OOB access in DBG BUF PRODUCER async event handler

The ASYNC EVENT CMPL EVENT ID DBG BUF PRODUCER handler in bnxt async event process() uses a firmware-supplied 'type' field directly as an index into bp->bs trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory.

The bnxt bs trace check wrap() call then dereferences bs trace->magic byte and writes to bs trace->last offset and bs trace->wrapped, leading to kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT TRACE MAX as DBG LOG BUFFER FLUSH REQ TYPE ERR QPC TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).