HIGH 7.5

CVE-2026-46110

CVE-2026-46110 is a NULL pointer dereference vulnerability in the Linux kernel's stmmac network driver that can crash a system when memory becomes exhausted during packet reception. The driver manages a circular ring of descriptors to coordinate DMA transfers between the CPU and network hardware. When the driver runs out of memory to allocate new receive buffers, it can incorrectly process already-used descriptors as if they were fresh, leading to a kernel panic. This occurs because the driver doesn't properly distinguish between descriptors that are waiting to be refilled versus those that have already been processed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
10 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The stmmac driver uses a ring buffer of DMA descriptors to receive network packets, with two pointers tracking position: `cur_rx` (consumption point) and `dirty_rx` (refill point). Each descriptor cycles through states: empty (OWN=1, valid buffer), full (OWN=0, valid buffer with data), and dirty (OWN=0, NULL buffer). The vulnerability exists because stmmac_rx() only checks the OWN flag and cannot distinguish between full and dirty descriptors. When stmmac_rx_refill() fails to allocate memory, it leaves descriptors in the dirty state. If packet arrival continues, the cur_rx pointer can advance into the range of unfilled descriptors, causing the driver to dereference NULL pointers. A previous partial fix capped iteration at dma_rx_size - 1, but this doesn't prevent catching up to dirty_rx when refill operations are incomplete. The fix adds an explicit check before advancing cur_rx to detect if the next descriptor is dirty and exit the loop if so, preventing NULL dereference. The identical copy-pasted code path stmmac_rx_zc() requires the same fix.

Business impact

System stability is directly threatened. Affected Linux systems—particularly those running network-intensive workloads or deployed in memory-constrained environments—can experience kernel panics during normal operation when receive buffer allocation stalls. This can cause unplanned downtime, service interruption, and data loss if applications don't gracefully handle abrupt system shutdown. Embedded systems, IoT devices, and edge servers relying on stmmac-compatible hardware (Synopsys GMAC controllers) are especially vulnerable if they operate under sustained network load with periodic memory pressure.

Affected systems

The Linux kernel in all versions containing the stmmac driver is affected. This driver supports Synopsys GMAC and related MAC controllers commonly found in ARM SoCs, x86 network cards, and embedded systems. Specific distributions and kernel versions vary; administrators should check their kernel version against vendor advisories. Systems with limited RAM or those running memory-intensive workloads in parallel with high network throughput are at elevated risk. Not all systems using Linux are affected—only those where the stmmac driver is compiled and in use.

Exploitability

Exploitation does not require network-based code execution or special privileges. The vulnerability triggers automatically under conditions of sustained packet reception combined with memory pressure—no attacker action is necessary. However, triggering it reliably requires either crafting a specific network traffic pattern or running a memory-exhaustion scenario locally. This limits opportunistic remote exploitation but makes it a genuine denial-of-service risk in environments where an attacker can sustain high packet rates (e.g., DDoS) or where memory is already constrained. The KEV catalog does not currently list this CVE, suggesting it is not yet widely weaponized in the wild.

Remediation

Apply a kernel update that includes the fix for stmmac_rx() and stmmac_rx_zc() to add the dirty descriptor check before advancing cur_rx, and remove the previous iteration cap (dma_rx_size - 1). Until patched, mitigations are limited to operational measures: increase available system memory, tune buffer allocation parameters if configurable, monitor for sudden resets attributed to kernel panics, and reduce sustained network load where feasible. For production systems, prioritize patching over workarounds.

Patch guidance

Consult your Linux distribution (Red Hat, Canonical, SUSE, etc.) or kernel maintainer for availability of a patched kernel version. The upstream Linux kernel maintainers resolved this in the mainline repository with a commit adding an explicit dirty descriptor check in both stmmac_rx() and stmmac_rx_zc(). Verify patch details against the vendor advisory to confirm both code paths are addressed. Test the update in a non-production environment first to confirm stability with your hardware and workload.

Detection guidance

Monitor system logs for kernel panics (oops/BUG reports) that reference stmmac or the network stack, especially those mentioning NULL pointer dereference and occurring during periods of high network traffic or memory pressure. Enable kernel debugging if possible to capture stack traces pointing to stmmac_rx() or stmmac_rx_zc(). Correlate crashes with memory exhaustion events or sustained high packet rates. Automated monitoring of unplanned kernel reboots on systems known to use stmmac-compatible hardware can flag potential exploitation or environmental triggers.

Why prioritize this

This is a high-severity denial-of-service vulnerability with a CVSS score of 7.5, reflecting the lack of confidentiality or integrity impact but significant availability risk. The trigger is environmental (memory pressure + packet flow) rather than requiring sophisticated attacker craft. Any Linux system in a memory-constrained or high-traffic environment is at risk of unplanned downtime. The lack of KEV listing suggests it may not yet be actively exploited, providing a window for patching before widespread weaponization. Prioritize based on whether your systems use stmmac drivers and operate under sustained network load.

Risk score, explained

CVSS 7.5 (HIGH) reflects: network-based attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N/I:N), but high availability impact (A:H). The score appropriately captures a reliable denial-of-service condition without data breach risk. The lack of KEV status and active exploitation in the wild does not reduce the technical severity, only the current threat landscape urgency—this should not factor into patching decisions for affected systems.

Frequently asked questions

Does this vulnerability allow remote code execution?

No. CVE-2026-46110 causes a kernel panic (NULL pointer dereference), which is a denial-of-service condition. It does not allow an attacker to execute arbitrary code or gain unauthorized access. The impact is system unavailability and potential data loss due to forced shutdown.

Which systems are affected?

Linux systems that compile and use the stmmac network driver. This includes many ARM-based SoCs (Synopsys GMAC controllers), some x86 network adapters, and embedded devices. Not all Linux systems are affected; you can check if stmmac is in use via 'lsmod | grep stmmac' on running systems or by reviewing kernel build configuration.

Is a workaround available if I cannot patch immediately?

Complete prevention is not possible without patching. Operational mitigation includes increasing available system RAM, reducing sustained network load if feasible, and monitoring for kernel panics. However, these are not reliable substitutes. Patching should be prioritized for any production system using stmmac drivers.

How quickly should I apply the patch?

If your systems use stmmac drivers and operate in memory-constrained or high-traffic environments, apply the patch within your standard critical-vulnerability timeline—typically within 1–2 weeks. Systems with ample spare memory and low network load face lower risk but should still be patched in the next maintenance window. The absence of KEV listing suggests no active widespread exploitation, but this is not a reason to delay if your infrastructure is at risk.

This analysis is provided for informational purposes to assist security professionals in risk assessment and remediation planning. The information reflects the vulnerability description and publicly available data as of the publication date. Patch availability and specific affected versions vary by Linux distribution and kernel version; consult your vendor or kernel maintainer for definitive remediation guidance. This document does not constitute legal or compliance advice. Organizations should validate all technical details against official vendor advisories before deploying patches or relying on mitigations. SEC.co makes no warranty regarding the accuracy or completeness of this analysis and assumes no liability for decisions made based on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities

  • CVE-2026-46114HIGH

    CVE-2026-46114: Linux Kernel RDMA RXE Remote Memory Leak via Malformed ATOMIC_WRITE

  • CVE-2025-71313MEDIUM

    CVE-2025-71313: Linux Kernel PCI Endpoint NULL Pointer Dereference

  • CVE-2026-46118MEDIUM

    CVE-2026-46118: Linux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)

  • CVE-2026-46127MEDIUM

    CVE-2026-46127: Linux Kernel OCRDMA Null Pointer Dereference (DoS)

  • CVE-2026-46134MEDIUM

    CVE-2026-46134: Linux Kernel cros_ec Mutex Initialization DoS Vulnerability

  • CVE-2025-59604HIGH

    CVE-2025-59604: Qualcomm Snapdragon Memory Corruption Vulnerability – HIGH Severity

  • CVE-2025-59606HIGH

    CVE-2025-59606: Qualcomm Chipset Memory Corruption Local Privilege Escalation

  • CVE-2025-70099HIGH

    CVE-2025-70099: NULL Pointer Dereference in lwext4 Directory Parsing (Denial of Service)