CVE-2026-31494

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: macb: use the current queue number for stats<br /> <br /> There&amp;#39;s a potential mismatch between the memory reserved for statistics<br /> and the amount of memory written.<br /> <br /> gem_get_sset_count() correctly computes the number of stats based on the<br /> active queues, whereas gem_get_ethtool_stats() indiscriminately copies<br /> data using the maximum number of queues, and in the case the number of<br /> active queues is less than MACB_MAX_QUEUES, this results in a OOB write<br /> as observed in the KASAN splat.<br /> <br /> ==================================================================<br /> BUG: KASAN: vmalloc-out-of-bounds in gem_get_ethtool_stats+0x54/0x78<br /> [macb]<br /> Write of size 760 at addr ffff80008080b000 by task ethtool/1027<br /> <br /> CPU: [...]<br /> Tainted: [E]=UNSIGNED_MODULE<br /> Hardware name: raspberrypi rpi/rpi, BIOS 2025.10 10/01/2025<br /> Call trace:<br /> show_stack+0x20/0x38 (C)<br /> dump_stack_lvl+0x80/0xf8<br /> print_report+0x384/0x5e0<br /> kasan_report+0xa0/0xf0<br /> kasan_check_range+0xe8/0x190<br /> __asan_memcpy+0x54/0x98<br /> gem_get_ethtool_stats+0x54/0x78 [macb<br /> 926c13f3af83b0c6fe64badb21ec87d5e93fcf65]<br /> dev_ethtool+0x1220/0x38c0<br /> dev_ioctl+0x4ac/0xca8<br /> sock_do_ioctl+0x170/0x1d8<br /> sock_ioctl+0x484/0x5d8<br /> __arm64_sys_ioctl+0x12c/0x1b8<br /> invoke_syscall+0xd4/0x258<br /> el0_svc_common.constprop.0+0xb4/0x240<br /> do_el0_svc+0x48/0x68<br /> el0_svc+0x40/0xf8<br /> el0t_64_sync_handler+0xa0/0xe8<br /> el0t_64_sync+0x1b0/0x1b8<br /> <br /> The buggy address belongs to a 1-page vmalloc region starting at<br /> 0xffff80008080b000 allocated at dev_ethtool+0x11f0/0x38c0<br /> The buggy address belongs to the physical page:<br /> page: refcount:1 mapcount:0 mapping:0000000000000000<br /> index:0xffff00000a333000 pfn:0xa333<br /> flags: 0x7fffc000000000(node=0|zone=0|lastcpupid=0x1ffff)<br /> raw: 007fffc000000000 0000000000000000 dead000000000122 0000000000000000<br /> raw: ffff00000a333000 0000000000000000 00000001ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /> <br /> Memory state around the buggy address:<br /> ffff80008080b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> ffff80008080b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> &gt;ffff80008080b180: 00 00 00 00 00 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ^<br /> ffff80008080b200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ffff80008080b280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8<br /> ==================================================================<br /> <br /> Fix it by making sure the copied size only considers the active number of<br /> queues.