VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-31395

CVE-2026-31395

Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler

The ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in bnxt_async_event_process() uses a firmware-supplied 'type' field directly as an index into bp->bs_trace[] without bounds validation.

The 'type' field is a 16-bit value extracted from DMA-mapped completion ring memory that the NIC writes directly to host RAM. A malicious or compromised NIC can supply any value from 0 to 65535, causing an out-of-bounds access into kernel heap memory.

The bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a crash.

Fix by adding a bounds check and defining BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently defined firmware trace types (0x0 through 0xc).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Linux kernel bnxt_en driver, a missing bounds check in DBG_BUF_PRODUCER async event handler allows a malicious NIC to cause out-of-bounds access and kernel memory corruption.

Vulnerability

The Linux kernel's bnxt_en driver for Broadcom NetXtreme Ethernet cards contains an out-of-bounds (OOB) access vulnerability in the ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler within bnxt_async_event_process(). The handler uses a firmware-supplied 'type' field directly as an index into the bp->bs_trace[] array without validating its bounds. This field is a 16-bit value obtained from DMA-mapped completion ring memory written by the NIC.

Exploitation

An attacker who can control the NIC's DMA output—for example, through a compromised firmware or physical access—can supply any value from 0 to 65535 as the 'type' field. This causes an OOB read/write beyond the allocated bs_trace array. The subsequent call to bnxt_bs_trace_check_wrap() dereferences bs_trace->magic_byte and writes to bs_trace->last_offset and bs_trace->wrapped, leading to kernel memory corruption or a system crash.

Impact

Successful exploitation can lead to kernel heap memory corruption, potentially resulting in a denial of service (system crash) or, with careful manipulation, privilege escalation. The attack requires a compromised or malicious NIC to inject the out-of-range index, limiting the attack surface to environments where the attacker controls the hardware.

Mitigation

The fix adds a bounds check on the 'type' field and defines BNXT_TRACE_MAX as DBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all valid firmware trace types (0x0 through 0xc). The patch has been applied to the stable kernel trees; see references [1], [2], and [3] for the specific commits. Users should update their kernels to the latest stable releases that include this fix.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.