APPLIED[HWE-6.17]/Cmnt: [SRU][Q][PATCH 0/1] CVE-2026-31501

Stefan Bader stefan.bader at canonical.com
Tue Jul 14 13:32:20 UTC 2026


On 24/06/2026 02:27, Cengiz Can via kernel-team wrote:
> https://ubuntu.com/security/CVE-2026-31501
> 
> [ Impact ]
> 
> In the TI ICSSG PRUETH driver, cppi5_hdesc_get_psdata() returns a pointer into
> a CPPI descriptor. In both emac_rx_packet() and emac_rx_packet_zc(), the
> descriptor is freed via k3_cppi_desc_pool_free() before the psdata pointer is
> dereferenced by emac_rx_timestamp(), which accesses psdata[0] and psdata[1].
> This is a use-after-free that occurs on every received packet that goes through
> the timestamp path, and could lead to memory corruption or other undefined
> behavior.
> 
> [ Fix ]
> 
> questing: backported with AI-assisted adaptation
> 
> [ Test Plan ]
> 
> Boot tested.
> 
> [ Where Problems Could Occur ]
> 
> A regression in this change to the ti icssg-prueth networking driver could
> affect RX packet processing or hardware timestamping, potentially causing
> dropped packets or descriptor pool mismanagement on affected TI platforms.
> 

Applied to noble:linux-hwe-6.17/hwe-6.17-next. Thanks.

-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/1ea04386/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260714/1ea04386/attachment-0001.sig>


More information about the kernel-team mailing list