CVE-2026-31563
Description
In the Linux kernel, the following vulnerability has been resolved:
net: macb: Use dev_consume_skb_any() to free TX SKBs
The napi_consume_skb() function is not intended to be called in an IRQ disabled context. However, after commit 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking"), the freeing of TX SKBs is performed with IRQs disabled. To resolve the following call trace, use dev_consume_skb_any() for freeing TX SKBs: WARNING: kernel/softirq.c:430 at __local_bh_enable_ip+0x174/0x188, CPU#0: ksoftirqd/0/15 Modules linked in: CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 7.0.0-rc4-next-20260319-yocto-standard-dirty #37 PREEMPT Hardware name: ZynqMP ZCU102 Rev1.1 (DT) pstate: 200000c5 (nzCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __local_bh_enable_ip+0x174/0x188 lr : local_bh_enable+0x24/0x38 sp : ffff800082b3bb10 x29: ffff800082b3bb10 x28: ffff0008031f3c00 x27: 000000000011ede0 x26: ffff000800a7ff00 x25: ffff800083937ce8 x24: 0000000000017a80 x23: ffff000803243a78 x22: 0000000000000040 x21: 0000000000000000 x20: ffff000800394c80 x19: 0000000000000200 x18: 0000000000000001 x17: 0000000000000001 x16: ffff000803240000 x15: 0000000000000000 x14: ffffffffffffffff x13: 0000000000000028 x12: ffff000800395650 x11: ffff8000821d1528 x10: ffff800081c2bc08 x9 : ffff800081c1e258 x8 : 0000000100000301 x7 : ffff8000810426ec x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000008 x1 : 0000000000000200 x0 : ffff8000810428dc Call trace: __local_bh_enable_ip+0x174/0x188 (P) local_bh_enable+0x24/0x38 skb_attempt_defer_free+0x190/0x1d8 napi_consume_skb+0x58/0x108 macb_tx_poll+0x1a4/0x558 __napi_poll+0x50/0x198 net_rx_action+0x1f4/0x3d8 handle_softirqs+0x16c/0x560 run_ksoftirqd+0x44/0x80 smpboot_thread_fn+0x1d8/0x338 kthread+0x120/0x150 ret_from_fork+0x10/0x20 irq event stamp: 29751 hardirqs last enabled at (29750): [<ffff8000813be184>] _raw_spin_unlock_irqrestore+0x44/0x88 hardirqs last disabled at (29751): [<ffff8000813bdf60>] _raw_spin_lock_irqsave+0x38/0x98 softirqs last enabled at (29150): [<ffff8000800f1aec>] handle_softirqs+0x504/0x560 softirqs last disabled at (29153): [<ffff8000800f2fec>] run_ksoftirqd+0x44/0x80
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A locking change in the Linux kernel's macb driver freed TX skbs in an IRQ-disabled context, triggering a kernel warning; the fix replaces napi_consume_skb() with dev_consume_skb_any().
Vulnerability
CVE-2026-31563 is a bug in the Linux kernel's Cadence MACB Ethernet driver (net: macb). After commit 6bc8a5098bf4 ("net: macb: Fix tx_ptr_lock locking"), transmit (TX) socket buffers (SKBs) are freed with hard IRQs disabled. The function used for freeing, napi_consume_skb(), is not designed to be called in such a context; it internally attempts to enable soft IRQs (a (local_bh_enable), which triggers a kernel warning in __local_bh_enable_ip as shown in the call trace.[1][2][3][4]
Exploitation
No special privilege or network position is required beyond normal network usage. The warning is triggered during normal TX completion path: when the driver's NAPI poll function (macb_tx_poll) frees transmitted SKBs under the spin lock that disables IRQs. Any network traffic on the affected system can reproduce the issue, leading to kernel splat but not arbitrary code execution.
Impact
The primary impact is a kernel warning and potential denial of service (soft lockup) because the warning may cause the system to log repeated messages or, in some configurations, stall. The bug does not allow data corruption, privilege escalation, or memory corruption beyond the warning itself.
Mitigation
The fix, committed to the Linux kernel stable trees, replaces the problematic napi_consume_skb() call with dev_consume_skb_any(), which is safe to use with IRQs disabled.[1][2][3][4] Users should apply the corresponding kernel update. No workaround other than patching or downgrading to a kernel version before the problematic locking change is available.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.1.151,<6.1.168
- cpe:2.3:o:linux:linux_kernel:6.17:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- git.kernel.org/stable/c/647b8a2fe474474704110db6bd07f7a139e621ebnvdPatch
- git.kernel.org/stable/c/78c8b090a3d5c1689dc989861b0163180db2b3f8nvdPatch
- git.kernel.org/stable/c/92e7081f0c79d9073087e54bab745bb184192c2envdPatch
- git.kernel.org/stable/c/984350b37372f79f71d4f0a5264c640e40daf9cenvdPatch
- git.kernel.org/stable/c/ca4d05afb4683d685bb2c6fccae4386c478f524anvdPatch
- git.kernel.org/stable/c/f4bc91398b579730284328322365afa77a9d568fnvdPatch
News mentions
0No linked articles in our index yet.