CVE-2026-43371

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A problem in the macb driver occurs when transmit is disabled, as the transmit buffer queue pointer resets to the address specified by the transmit buffer queue base address register. The current implementation only resets queue->tx head and queue->tx tail to '0', which leads to several issues: packets already queued in the tx ring are silently lost causing memory leaks, concurrent write access to queue->tx head and queue->tx tail may occur from macb tx poll() or macb start xmit(), and transmission may become stuck on a packet that has been sent but not processed. This happens because macb tx poll() incorrectly assumes no packets need handling when queue->tx head equals queue->tx tail.

Recommendations Shuffle the tx ring and tx skb array to position the first unsent packet at the start of the tx ring and ensure updates to queue->tx head and queue->tx tail are protected with the appropriate lock.