HarborGuard / CVE
Back to search
HIGHCVE-2026-46110Published Modified CNA Linux

CVE-2026-46110: net: stmmac: Prevent NULL deref when RX memory exhausted

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: Prevent NULL deref when RX memory exhausted The CPU receives frames from the MAC through conventional DMA: the CPU allocates buffers for the MAC, then the MAC fills them and returns ownership to the CPU. For each hardware RX queue, the CPU and MAC coordinate through a shared ring array of DMA descriptors: one descriptor per DMA buffer. Each descriptor includes the buffer's physical address and a status flag ("OWN") indicating which side owns the buffer: OWN=0 for CPU, OWN=1 for MAC. The CPU is only allowed to set the flag and the MAC is only allowed to clear it, and both must move through the ring in sequence: thus the ring is used for both "submissions" and "completions." In the stmmac driver, stmmac_rx() bookmarks its position in the ring with the `cur_rx` index. The main receive loop in that function checks for rx_descs[cur_rx].own=0, gives the corresponding buffer to the network stack (NULLing the pointer), and increments `cur_rx` modulo the ring size. After the loop exits, stmmac_rx_refill(), which bookmarks its position with `dirty_rx`, allocates fresh buffers and rearms the descriptors (setting OWN=1). If it fails any allocation, it simply stops early (leaving OWN=0) and will retry where it left off when next called. This means descriptors have a three-stage lifecycle (terms my own): - `empty` (OWN=1, buffer valid) - `full` (OWN=0, buffer valid and populated) - `dirty` (OWN=0, buffer NULL) But because stmmac_rx() only checks OWN, it confuses `full`/`dirty`. In the past (see 'Fixes:'), there was a bug where the loop could cycle `cur_rx` all the way back to the first descriptor it dirtied, resulting in a NULL dereference when mistaken for `full`. The aforementioned commit resolved that *specific* failure by capping the loop's iteration limit at `dma_rx_size - 1`, but this is only a partial fix: if the previous stmmac_rx_refill() didn't complete, then there are leftover `dirty` descriptors that the loop might encounter without needing to cycle fully around. The current code therefore panics (see 'Closes:') when stmmac_rx_refill() is memory-starved long enough for `cur_rx` to catch up to `dirty_rx`. Fix this by explicitly checking, before advancing `cur_rx`, if the next entry is dirty; exit the loop if so. This prevents processing of the final, used descriptor until stmmac_rx_refill() succeeds, but fully prevents the `cur_rx == dirty_rx` ambiguity as the previous bugfix intended: so remove the clamp as well. Since stmmac_rx_zc() is a copy-paste-and-tweak of stmmac_rx() and the code structure is identical, any fix to stmmac_rx() will also need a corresponding fix for stmmac_rx_zc(). Therefore, apply the same check there. In stmmac_rx() (not stmmac_rx_zc()), a related bug remains: after the MAC sets OWN=0 on the final descriptor, it will be unable to send any further DMA-complete IRQs until it's given more `empty` descriptors. Currently, the driver simply *hopes* that the next stmmac_rx_refill() succeeds, risking an indefinite stall of the receive process if not. But this is not a regression, so it can be addressed in a future change.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A NULL pointer dereference vulnerability exists in the Linux kernel's stmmac network driver, which handles DMA-based packet reception for STMMAC-compatible Ethernet controllers. The flaw is reachable over the network without authentication: an attacker can exhaust the driver's RX memory buffers, causing the receive loop to process a descriptor whose buffer pointer is NULL and triggering a kernel crash. Successful exploitation causes a denial of service by crashing or hanging the affected host. A patched-image rebuild at the fix version is available on HarborGuard for environments running an affected kernel version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46110 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that carry an affected Linux kernel version.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH (CVSS v3.1) and the score is available alongside per-environment compliance policy weighting, so triage tickets are routed to the appropriate team inbox within each customer organization based on their configured severity thresholds.

Available
Patch

A patched-image rebuild pinned to the fix commit (6.2 stable or the applicable upstream commit) is available on HarborGuard for images confirmed to carry an affected kernel version. For customers who opt into auto-remediation, the pipeline performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker sends crafted or high-volume network traffic to the target host over the network to trigger RX buffer exhaustion in the stmmac driver.

  • AuthenticationNot required

    No credentials or account are needed; the attack is exercised by sending packets to an exposed network interface.

  • Victim interactionNot required

    No user action is required; the vulnerable code path is exercised automatically as the kernel processes incoming network frames.

  • Attack complexityDetail

    Exploit reliability is high and no special environmental conditions are required beyond being able to send traffic to the target interface.

Blast Radius

  • The kernel crashes or enters an unresponsive state due to the NULL pointer dereference, taking down all services on the affected host.
  • No confidential data is read and no persistent data is modified; the sole impact is availability loss.
  • Any workloads co-located on the same kernel instance (containers, VMs sharing the host, system daemons) are disrupted when the host goes down.
  • Recovery requires a reboot, causing unplanned downtime for the duration of the restart and any failover process.

How HarborGuard Handles This

Available on HarborGuard: images carrying a Linux kernel version in the affected stmmac range are flagged automatically within minutes of CVE ingestion. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched kernel version, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image and full CVSS detail are staged and waiting for engineer sign-off. Because the fix is a specific commit range rather than a named release in all branches, HarborGuard resolves the fix version per affected branch and applies the correct pin for each image's kernel lineage.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
0
Affected Products
2

Fix available

00bb05e6adfa99a2ea1fee1125cc0953409f83ed84af2e62cbcda575a174acd230c3f3a208135e16d5c910f7708e3c507b037ca91ca5b09f8cfe71e656.26.66.6.1406.12.886.18.307.0.77.1-rc2950cb436165aad0f8f2cd49da3cd07677465bcdee1c50b273298c7cd9b08b113e7a7598b531a02f5
Affected packages
  • Linux / Linux
    < e1c50b273298c7cd9b08b113e7a7598b531a02f5 (from 779334e59850f863bf34665e0ff0b6faf126873b) · < 5c910f7708e3c507b037ca91ca5b09f8cfe71e65 (from b6cb4541853c7ee512111b0e7ddf3cb66c99c137) · < 4af2e62cbcda575a174acd230c3f3a208135e16d (from b6cb4541853c7ee512111b0e7ddf3cb66c99c137) · < 950cb436165aad0f8f2cd49da3cd07677465bcde (from b6cb4541853c7ee512111b0e7ddf3cb66c99c137) · < 0bb05e6adfa99a2ea1fee1125cc0953409f83ed8 (from b6cb4541853c7ee512111b0e7ddf3cb66c99c137) · 7414a28de1b3b028714859078c00a874f9feff52
  • Linux / Linux
    6.7
    Fixed in 0, 6.6.140, 6.12.88, 6.18.30, 7.0.7, 7.1-rc2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References