CVE-2026-31649

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description An integer underflow exists in the jumbo frm() chain-mode implementation within the stmmac network driver. The issue occurs when a packet has a small linear portion but a large total length due to page fragments. Specifically, the subtraction of bmax from nopaged len wraps as an unsigned integer, resulting in an excessively large len value. This causes a loop to execute numerous iterations, passing pointers far beyond the skb buffer to dma map single(). On SoCs without an IOMMU, this can lead to kernel memory disclosure and potential memory corruption by mapping arbitrary kernel memory to the DMA engine.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.