{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "286a837217204b1ef105e3a554d0757e4fdfaac1"
            },
            {
              "fixed": "513e06735f5be575b409d195822195348b164e48"
            },
            {
              "fixed": "275bdf762e82082f064e60a92448fa2ac43cf95b"
            },
            {
              "fixed": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
            },
            {
              "fixed": "b7b8012193fd98236d7ae05d4b553f010a77b2ef"
            },
            {
              "fixed": "2c91b39912278d0878f9ba60ba04d2518b18a08d"
            },
            {
              "fixed": "6fca757c20396dc2e604dcc61922264e9e3dc803"
            },
            {
              "fixed": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
            },
            {
              "fixed": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "5.10.253"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.11.0"
            },
            {
              "fixed": "5.15.203"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "5.16.0"
            },
            {
              "fixed": "6.1.169"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.135"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.82"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.23"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "6.19.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31649.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n    len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward.",
  "id": "CVE-2026-31649",
  "modified": "2026-07-08T05:35:57.035884291Z",
  "published": "2026-04-24T14:45:02.520Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31649.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31649"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "net: stmmac: fix integer underflow in chain mode"
}