{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31395", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-03-09T15:48:24.085Z", "datePublished": "2026-04-03T15:15:59.590Z", "dateUpdated": "2026-04-03T15:15:59.590Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:59.590Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler\n\nThe ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in\nbnxt_async_event_process() uses a firmware-supplied 'type' field\ndirectly as an index into bp->bs_trace[] without bounds validation.\n\nThe 'type' field is a 16-bit value extracted from DMA-mapped completion\nring memory that the NIC writes directly to host RAM. A malicious or\ncompromised NIC can supply any value from 0 to 65535, causing an\nout-of-bounds access into kernel heap memory.\n\nThe bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte\nand writes to bs_trace->last_offset and bs_trace->wrapped, leading to\nkernel memory corruption or a crash.\n\nFix by adding a bounds check and defining BNXT_TRACE_MAX as\nDBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently\ndefined firmware trace types (0x0 through 0xc)."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt.c", "drivers/net/ethernet/broadcom/bnxt/bnxt.h"], "versions": [{"version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9", "lessThan": "19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8", "status": "affected", "versionType": "git"}, {"version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9", "lessThan": "b7c7a275447c6d4bf4a36a134682e2e4e20efd4b", "status": "affected", "versionType": "git"}, {"version": "84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9", "lessThan": "64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt.c", "drivers/net/ethernet/broadcom/bnxt/bnxt.h"], "versions": [{"version": "6.13", "status": "affected"}, {"version": "0", "lessThan": "6.13", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8"}, {"url": "https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b"}, {"url": "https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3"}], "title": "bnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: fix OOB access in DBG_BUF_PRODUCER async event handler\n\nThe ASYNC_EVENT_CMPL_EVENT_ID_DBG_BUF_PRODUCER handler in\nbnxt_async_event_process() uses a firmware-supplied 'type' field\ndirectly as an index into bp->bs_trace[] without bounds validation.\n\nThe 'type' field is a 16-bit value extracted from DMA-mapped completion\nring memory that the NIC writes directly to host RAM. A malicious or\ncompromised NIC can supply any value from 0 to 65535, causing an\nout-of-bounds access into kernel heap memory.\n\nThe bnxt_bs_trace_check_wrap() call then dereferences bs_trace->magic_byte\nand writes to bs_trace->last_offset and bs_trace->wrapped, leading to\nkernel memory corruption or a crash.\n\nFix by adding a bounds check and defining BNXT_TRACE_MAX as\nDBG_LOG_BUFFER_FLUSH_REQ_TYPE_ERR_QPC_TRACE + 1 to cover all currently\ndefined firmware trace types (0x0 through 0xc)."}], "id": "CVE-2026-31395", "lastModified": "2026-04-03T16:16:37.743", "metrics": {}, "published": "2026-04-03T16:16:37.743", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/b7c7a275447c6d4bf4a36a134682e2e4e20efd4b"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,19aa416eed9e4aaf1bbe8da0f7bd9a9be31158c8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,b7c7a275447c6d4bf4a36a134682e2e4e20efd4b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[84fcd9449fd7882ddfb05ba64d75f9be2d29b2e9,64dcbde7f8f870a4f2d9daf24ffb06f9748b5dd3)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.13"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.13)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:37:54.569672+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the bnxt_en bounds check patch", "If an update is not immediately possible, ensure that the NIC firmware is trusted and not from an unverified source", "Avoid using the affected NIC hardware if replacement is not viable until the patch is deployed"], "summary": {"action": "Patch Immediately", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "The flaw is present in the Linux kernel, affecting all Linux distributions that include the vulnerable bnxt_en driver in the kernel. No specific kernel version is listed as affected in the bulletin, so any installation of the kernel that has not applied this patch is potentially vulnerable.", "description_and_impact": "The vulnerability involves an out\u2011of\u2011bounds access in the bnxt_en driver\u2019s async event handler. A firmware supplied 16\u2011bit type value is used as an index into a kernel heap array without bounds checking. An attacker controlling the NIC can supply any value from 0 to 65535, which leads to a read/write outside the valid array bounds and corrupts kernel memory or causes a crash. This can allow the adversary to gain arbitrary kernel\u2011level code execution or denial of service.", "risk_and_exploitability": "The CVSS score is not provided, but out\u2011of\u2011bounds memory corruption in the kernel is typically considered a severe vulnerability. The likelihood of exploitation requires an attacker to control the NIC\u2019s firmware or send crafted packets that cause the firmware to write a malicious type value. If successful, the flaw can lead to kernel crash or arbitrary code execution. The issue is not listed in the CISA KEV catalog, and the EPSS score is unavailable, so the exact exploitation probability is unclear, but the high potential impact warrants immediate remediation."}}}}, "created": "2026-04-03T21:13:18.171224+00:00", "updated": "2026-04-03T21:15:31.853846+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-787", "CWE-120"]}