A newly published Linux kernel vulnerability in the Cadence MACB/GEM Ethernet driver is a reminder that even small accounting mistakes in networking code can become memory-safety bugs. CVE-2026-31494 covers an out-of-bounds write that can be triggered through the ethtool stats interface, potentially allowing an attacker to corrupt kernel memory.

The flaw resides in the macb_ethtool_get_ethtool_stats() function within the drivers/net/ethernet/cadence/macb_main.c file. The function is responsible for copying hardware statistics into a user-supplied buffer. However, a mismatch between the number of statistics reported by macb_ethtool_get_sset_count() and the actual number of statistics written by macb_ethtool_get_ethtool_stats() can lead to an out-of-bounds write.

The Root Cause: Queue Count Discrepancy

The macb driver supports multiple transmit and receive queues. The num_queues variable represents the number of queues currently active. The statistics count function uses num_queues to calculate the total number of statistics entries. However, the stats collection function uses a different variable, max_queues, which represents the maximum possible number of queues supported by the hardware. If num_queues is less than max_queues, the stats collection function will write more entries than the count function reported, causing an out-of-bounds write into the user buffer.

Impact and Exploitability

An attacker with local access and the ability to issue ethtool commands can trigger this vulnerability. The out-of-bounds write corrupts kernel memory beyond the allocated buffer. This could lead to system crashes (denial of service) or, potentially, privilege escalation if an attacker can control the written data. However, the complexity of exploiting such a bug for privilege escalation is high, as it requires precise control over the written values and memory layout.

The vulnerability affects Linux kernel versions from 5.4 up to 6.6, where the macb driver with multiple queue support is enabled. Systems using the macb driver on hardware such as Xilinx Zynq-7000, Microchip SAMA5, or other Cadence MACB/GEM-based Ethernet controllers are at risk.

Patch and Mitigation

The Linux kernel developers have addressed CVE-2026-31494 by ensuring that the stats collection function uses the same queue count as the stats count function. The patch modifies macb_ethtool_get_ethtool_stats() to iterate over num_queues instead of max_queues. Users are advised to update their kernels to versions containing the fix, which is already included in the mainline kernel.

For systems that cannot be immediately patched, disabling the use of ethtool statistics or restricting access to ethtool commands can mitigate the risk. However, the most effective mitigation is to apply the kernel update.

Lessons Learned

CVE-2026-31494 is a classic example of a code inconsistency leading to a memory safety vulnerability. It underscores the importance of using consistent variables when counting and accessing data structures. The fix is straightforward, but the bug persisted for several kernel versions, highlighting the need for rigorous code review and testing, especially in drivers that interact with user space.

Conclusion

While CVE-2026-31494 may not be a widespread threat due to its local access requirement and specific hardware dependencies, it serves as a valuable case study in kernel security. Administrators running affected hardware should prioritize patching to prevent potential denial-of-service or privilege escalation attacks.