{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43031", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.977Z", "datePublished": "2026-05-01T14:15:31.256Z", "dateUpdated": "2026-05-03T05:46:13.862Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-03T05:46:13.862Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Fix BQL accounting for multi-BD TX packets\n\nWhen a TX packet spans multiple buffer descriptors (scatter-gather),\naxienet_free_tx_chain sums the per-BD actual length from descriptor\nstatus into a caller-provided accumulator. That sum is reset on each\nNAPI poll. If the BDs for a single packet complete across different\npolls, the earlier bytes are lost and never credited to BQL. This\ncauses BQL to think bytes are permanently in-flight, eventually\nstalling the TX queue.\n\nThe SKB pointer is stored only on the last BD of a packet. When that\nBD completes, use skb->len for the byte count instead of summing\nper-BD status lengths. This matches netdev_sent_queue(), which debits\nskb->len, and naturally survives across polls because no partial\npacket contributes to the accumulator."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/xilinx/xilinx_axienet_main.c"], "versions": [{"version": "c900e49d58eb32b192b6d200ace4ae3ab89779d4", "lessThan": "2a0323a913109b52bfc9f5ea7b92a1b249e07d3e", "status": "affected", "versionType": "git"}, {"version": "c900e49d58eb32b192b6d200ace4ae3ab89779d4", "lessThan": "3c3a6b9020c01fde7b22e8550105de0b59904f61", "status": "affected", "versionType": "git"}, {"version": "c900e49d58eb32b192b6d200ace4ae3ab89779d4", "lessThan": "d1978d03e86785872871bff9c2623174b10740de", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/xilinx/xilinx_axienet_main.c"], "versions": [{"version": "6.15", "status": "affected"}, {"version": "0", "lessThan": "6.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.22", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.12", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.22"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.19.12"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2a0323a913109b52bfc9f5ea7b92a1b249e07d3e"}, {"url": "https://git.kernel.org/stable/c/3c3a6b9020c01fde7b22e8550105de0b59904f61"}, {"url": "https://git.kernel.org/stable/c/d1978d03e86785872871bff9c2623174b10740de"}], "title": "net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: xilinx: axienet: Fix BQL accounting for multi-BD TX packets\n\nWhen a TX packet spans multiple buffer descriptors (scatter-gather),\naxienet_free_tx_chain sums the per-BD actual length from descriptor\nstatus into a caller-provided accumulator. That sum is reset on each\nNAPI poll. If the BDs for a single packet complete across different\npolls, the earlier bytes are lost and never credited to BQL. This\ncauses BQL to think bytes are permanently in-flight, eventually\nstalling the TX queue.\n\nThe SKB pointer is stored only on the last BD of a packet. When that\nBD completes, use skb->len for the byte count instead of summing\nper-BD status lengths. This matches netdev_sent_queue(), which debits\nskb->len, and naturally survives across polls because no partial\npacket contributes to the accumulator."}], "id": "CVE-2026-43031", "lastModified": "2026-05-03T07:16:23.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-05-01T15:16:47.680", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2a0323a913109b52bfc9f5ea7b92a1b249e07d3e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3c3a6b9020c01fde7b22e8550105de0b59904f61"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d1978d03e86785872871bff9c2623174b10740de"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: net: xilinx: axienet: Fix BQL accounting for multi-BD TX packets", "id": "2464364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464364"}, "csaw": false, "cwe": "CWE-911", "details": ["A flaw was found in the Linux kernel's xilinx axienet network driver. This vulnerability arises from incorrect accounting of Buffer Queue Length (BQL), a mechanism that manages network buffer usage, for transmit (TX) packets that are split across multiple buffer descriptors. If these packet segments complete across different processing cycles, the system miscalculates the transmitted data. This error can cause the TX queue to stall, leading to a Denial of Service (DoS) for network communications."], "name": "CVE-2026-43031", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43031\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43031\nhttps://lore.kernel.org/linux-cve-announce/2026050101-CVE-2026-43031-f267@gregkh/T"]}