{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-31646","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-03-09T15:48:24.127Z","datePublished":"2026-04-24T14:44:59.874Z","dateUpdated":"2026-05-11T22:12:50.586Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:12:50.586Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()\n\npage_pool_create() can return an ERR_PTR on failure. The return value\nis used unconditionally in the loop that follows, passing the error\npointer through xdp_rxq_info_reg_mem_model() into page_pool_use_xdp_mem(),\nwhich dereferences it, causing a kernel oops.\n\nAdd an IS_ERR check after page_pool_create() to return early on failure."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"],"versions":[{"version":"11871aba19748b3387e83a2db6360aa7119e9a1a","lessThan":"e63265f188ea39dcf5f546770650027528f3bd0f","status":"affected","versionType":"git"},{"version":"11871aba19748b3387e83a2db6360aa7119e9a1a","lessThan":"305832c53551cfbe6e5b81ca7ee765e60f4fe8e9","status":"affected","versionType":"git"},{"version":"11871aba19748b3387e83a2db6360aa7119e9a1a","lessThan":"b5dcb41ba891b55157006cac79825c78a32b409e","status":"affected","versionType":"git"},{"version":"11871aba19748b3387e83a2db6360aa7119e9a1a","lessThan":"7caf90d9ab97951a58d1de85ab7e7d7cca7a4513","status":"affected","versionType":"git"},{"version":"11871aba19748b3387e83a2db6360aa7119e9a1a","lessThan":"3fd0da4fd8851a7e62d009b7db6c4a05b092bc19","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/microchip/lan966x/lan966x_fdma.c"],"versions":[{"version":"6.2","status":"affected"},{"version":"0","lessThan":"6.2","status":"unaffected","versionType":"semver"},{"version":"6.6.135","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.82","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.23","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19.13","lessThanOrEqual":"6.19.*","status":"unaffected","versionType":"semver"},{"version":"7.0","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.135"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.12.82"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.18.23"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.19.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"7.0"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/e63265f188ea39dcf5f546770650027528f3bd0f"},{"url":"https://git.kernel.org/stable/c/305832c53551cfbe6e5b81ca7ee765e60f4fe8e9"},{"url":"https://git.kernel.org/stable/c/b5dcb41ba891b55157006cac79825c78a32b409e"},{"url":"https://git.kernel.org/stable/c/7caf90d9ab97951a58d1de85ab7e7d7cca7a4513"},{"url":"https://git.kernel.org/stable/c/3fd0da4fd8851a7e62d009b7db6c4a05b092bc19"}],"title":"net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool()","x_generator":{"engine":"bippy-1.2.0"}}}}