VYPR
← All advisories
High severity7.5NVD Advisory· Published May 1, 2026· Updated May 8, 2026

CVE-2026-43031

CVE-2026-43031

Description

In the Linux kernel, the following vulnerability has been resolved:

net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets

When a TX packet spans multiple buffer descriptors (scatter-gather), axienet_free_tx_chain sums the per-BD actual length from descriptor status into a caller-provided accumulator. That sum is reset on each NAPI poll. If the BDs for a single packet complete across different polls, the earlier bytes are lost and never credited to BQL. This causes BQL to think bytes are permanently in-flight, eventually stalling the TX queue.

The SKB pointer is stored only on the last BD of a packet. When that BD completes, use skb->len for the byte count instead of summing per-BD status lengths. This matches netdev_sent_queue(), which debits skb->len, and naturally survives across polls because no partial packet contributes to the accumulator.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Linux kernel's axienet driver, BQL accounting for multi-BD TX packets resets per-poll, causing TX queue stall; fixed by using skb->len.

In the Linux kernel's Xilinx AXI Ethernet driver (axienet), BQL (Byte Queue Limits) accounting for multi-buffer descriptor (BD) TX packets incorrectly resets the byte counter on each NAPI poll. This causes earlier bytes to be lost, leading to an ever-increasing perceived in-flight bytes, eventually stalling the TX queue [1].

An attacker with the ability to trigger network traffic (e.g., send packets) could cause the TX queue to stall on a system using this driver. No special privileges are needed beyond basic network access. The driver is used in embedded systems with Xilinx FPGA Ethernet cores.

The primary impact is denial of service (DoS) as the network interface becomes unable to transmit packets, disrupting network services on the affected system [2].

The fix is included in Linux kernel commits [1], [2], and [3] for various stable branches. Users should update to a patched kernel version. The issue is fixed by using skb->len for byte count instead of summing per-BD lengths.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

10
  • Linux/Kernelinferred8 versions
    (expand)+ 7 more
    • (no CPE)
    • cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*range: >=6.15,<6.18.22
    • cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
    • cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
  • AMD/axienetllm-create
  • Linux/Linux Kernel Rtllm-fuzzy

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

News mentions

0

No linked articles in our index yet.