CVE-2026-31501

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A use-after-free issue exists in the RX path of the icssg-prueth component. The function cppi5 hdesc get psdata() returns a pointer to the CPPI descriptor. In the functions emac rx packet() and emac rx packet zc(), the descriptor is released via k3 cppi desc pool free() before the psdata pointer is utilized by emac rx timestamp(), which dereferences psdata[0] and psdata[1].

Recommendations For the affected versions, ensure the descriptor is freed only after all accesses through the psdata pointer are complete. In emac rx packet(), move the free operation to the requeue label. In emac rx packet zc(), move the free operation to the end of the loop body after emac dispatch skb zc() has returned.