Vulnerability-Lookup

CVE-2026-31649 (GCVE-0-2026-31649)

Vulnerability from cvelistv5 – Published: 2026-04-24 14:45 – Updated: 2026-04-27 14:04

Title

net: stmmac: fix integer underflow in chain mode

Summary

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/513e06735f5be575b…
	https://git.kernel.org/stable/c/275bdf762e82082f0…
	https://git.kernel.org/stable/c/a2b68a9a476b9544f…
	https://git.kernel.org/stable/c/b7b8012193fd98236…
	https://git.kernel.org/stable/c/2c91b39912278d087…
	https://git.kernel.org/stable/c/6fca757c20396dc2e…
	https://git.kernel.org/stable/c/10d12b9240ebf96c7…
	https://git.kernel.org/stable/c/51f4e090b9f87b40c…

Impacted products

Vendor

Product

Version

Linux

Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 513e06735f5be575b409d195822195348b164e48 (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 275bdf762e82082f064e60a92448fa2ac43cf95b (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < b7b8012193fd98236d7ae05d4b553f010a77b2ef (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 2c91b39912278d0878f9ba60ba04d2518b18a08d (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 6fca757c20396dc2e604dcc61922264e9e3dc803 (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 10d12b9240ebf96c785f0e2e4228318cd5f3a3eb (git)
Affected: 286a837217204b1ef105e3a554d0757e4fdfaac1 , < 51f4e090b9f87b40c21b6daadb5c06e6c0a07b67 (git)

Linux

Affected: 3.2
Unaffected: 0 , < 3.2 (semver)
Unaffected: 5.10.253 , ≤ 5.10.* (semver)
Unaffected: 5.15.203 , ≤ 5.15.* (semver)
Unaffected: 6.1.169 , ≤ 6.1.* (semver)
Unaffected: 6.6.135 , ≤ 6.6.* (semver)
Unaffected: 6.12.82 , ≤ 6.12.* (semver)
Unaffected: 6.18.23 , ≤ 6.18.* (semver)
Unaffected: 6.19.13 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "513e06735f5be575b409d195822195348b164e48",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "275bdf762e82082f064e60a92448fa2ac43cf95b",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "b7b8012193fd98236d7ae05d4b553f010a77b2ef",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "2c91b39912278d0878f9ba60ba04d2518b18a08d",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "6fca757c20396dc2e604dcc61922264e9e3dc803",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "10d12b9240ebf96c785f0e2e4228318cd5f3a3eb",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            },
            {
              "lessThan": "51f4e090b9f87b40c21b6daadb5c06e6c0a07b67",
              "status": "affected",
              "version": "286a837217204b1ef105e3a554d0757e4fdfaac1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/stmicro/stmmac/chain_mode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.2"
            },
            {
              "lessThan": "3.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.253",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.203",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.169",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.82",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.253",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.203",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.169",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.135",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.82",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.23",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.13",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "3.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n    len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-27T14:04:42.760Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
        },
        {
          "url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
        },
        {
          "url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
        },
        {
          "url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
        }
      ],
      "title": "net: stmmac: fix integer underflow in chain mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-31649",
    "datePublished": "2026-04-24T14:45:02.520Z",
    "dateReserved": "2026-03-09T15:48:24.128Z",
    "dateUpdated": "2026-04-27T14:04:42.760Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-31649",
      "date": "2026-05-05",
      "epss": "0.0007",
      "percentile": "0.21153"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-31649\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-04-24T15:16:44.330\",\"lastModified\":\"2026-04-27T20:13:49.587\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: stmmac: fix integer underflow in chain mode\\n\\nThe jumbo_frm() chain-mode implementation unconditionally computes\\n\\n    len = nopaged_len - bmax;\\n\\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\\npage fragments):\\n\\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\\n\\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\\nsubtraction wraps as an unsigned integer, producing a huge len value\\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\\nmemory to the DMA engine, constituting a kernel memory disclosure and\\npotential memory corruption from hardware.\\n\\nFix this by introducing a buf_len local variable clamped to\\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\\nalways safe: it is zero when the linear portion fits within a single\\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\\nand the fragment loop in stmmac_xmit() handles page fragments afterward.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.2.1\",\"versionEndExcluding\":\"5.10.253\",\"matchCriteriaId\":\"A8136AA8-F2F0-4960-9AAF-176AC6ACEA92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.203\",\"matchCriteriaId\":\"20DDB3E9-AABF-4107-ADB0-5362AA067045\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"6.1.169\",\"matchCriteriaId\":\"DBEC0E5D-641C-4E98-A6D9-5799B10CE451\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"6.6.135\",\"matchCriteriaId\":\"15C1A1B2-14EE-494C-AF3E-D5A7BA640B39\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7\",\"versionEndExcluding\":\"6.12.82\",\"matchCriteriaId\":\"02904CAE-71D2-45B3-9EC3-F6A9D18B6307\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.23\",\"matchCriteriaId\":\"E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.13\",\"matchCriteriaId\":\"1490EF9B-9080-481C-8D22-1306AAE664E4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BEBAC7C-43AE-4D02-A957-26F89F27E0AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F253B622-8837-4245-BCE5-A7BF8FC76A16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F666C8D8-6538-46D4-B318-87610DE64C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"02259FDA-961B-47BC-AE7F-93D7EC6E90C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D2315C0-D46F-4F85-9754-F9E5E11374A6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"512EE3A8-A590-4501-9A94-5D4B268D6138\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}

MSRC_CVE-2026-31649

Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-05-01 14:43

Summary

net: stmmac: fix integer underflow in chain mode

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-31649

None Available There is no fix available for this vulnerability as of now

Vendor Fix 0:6.6.137.1-1.azl3:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade https://learn.microsoft.com/en-us/azure/azure-lin…

References

URL

FKIE_CVE-2026-31649

Vulnerability from fkie_nvd - Published: 2026-04-24 15:16 - Updated: 2026-04-27 20:13

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f	Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67	https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef	Patch

Impacted products

Vendor	Product	Version
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	*
linux	linux_kernel	3.2
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0
linux	linux_kernel	7.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A8136AA8-F2F0-4960-9AAF-176AC6ACEA92",
              "versionEndExcluding": "5.10.253",
              "versionStartIncluding": "3.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "20DDB3E9-AABF-4107-ADB0-5362AA067045",
              "versionEndExcluding": "5.15.203",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBEC0E5D-641C-4E98-A6D9-5799B10CE451",
              "versionEndExcluding": "6.1.169",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "15C1A1B2-14EE-494C-AF3E-D5A7BA640B39",
              "versionEndExcluding": "6.6.135",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "02904CAE-71D2-45B3-9EC3-F6A9D18B6307",
              "versionEndExcluding": "6.12.82",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9E09FDD-9EE3-4A56-92E2-2B30AFD0072F",
              "versionEndExcluding": "6.18.23",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1490EF9B-9080-481C-8D22-1306AAE664E4",
              "versionEndExcluding": "6.19.13",
              "versionStartIncluding": "6.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:3.2:-:*:*:*:*:*:*",
              "matchCriteriaId": "2BEBAC7C-43AE-4D02-A957-26F89F27E0AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n    len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward."
    }
  ],
  "id": "CVE-2026-31649",
  "lastModified": "2026-04-27T20:13:49.587",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-24T15:16:44.330",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-190"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2026-AVI-0526

Vulnerability from certfr_avis - Published: 2026-05-04 - Updated: 2026-05-04

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Microsoft	N/A	azl3 kernel versions antérieures à 6.6.137.1-1

References

Title

Publication Time

Tags

Bulletin de sécurité Microsoft CVE-2026-31629	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31639	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31694	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31662	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31651	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31661	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31671	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31656	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31595	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31700	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31430	2026-04-22	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31599	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31685	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31607	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31659	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31673	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31612	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31638	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31532	2026-04-24	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31625	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31586	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31649	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31676	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31684	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31657	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31431	2026-04-23	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31585	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31611	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31637	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31689	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31624	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31615	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31627	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31642	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31704	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31668	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31508	2026-04-30	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31578	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31696	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31587	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31577	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31711	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31626	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31670	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31583	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31618	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31708	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31588	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31658	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31705	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31669	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31623	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31622	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31603	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31594	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31721	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31660	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31628	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-43033	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31619	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31648	2026-04-29	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31698	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31655	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31699	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31634	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31665	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31605	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31597	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31697	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31664	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31702	2026-05-02	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31590	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31596	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31681	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31533	2026-05-01	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31610	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31667	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31604	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31672	2026-04-26	vendor-advisory
Bulletin de sécurité Microsoft CVE-2026-31646	2026-04-26	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "azl3 kernel versions ant\u00e9rieures \u00e0 6.6.137.1-1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Microsoft",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2026-31623",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31623"
    },
    {
      "name": "CVE-2026-31619",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31619"
    },
    {
      "name": "CVE-2026-31658",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31658"
    },
    {
      "name": "CVE-2026-31618",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31618"
    },
    {
      "name": "CVE-2026-31578",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31578"
    },
    {
      "name": "CVE-2026-31696",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31696"
    },
    {
      "name": "CVE-2026-31704",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31704"
    },
    {
      "name": "CVE-2026-31685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31685"
    },
    {
      "name": "CVE-2026-31656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31656"
    },
    {
      "name": "CVE-2026-31698",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31698"
    },
    {
      "name": "CVE-2026-31664",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31664"
    },
    {
      "name": "CVE-2026-31597",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31597"
    },
    {
      "name": "CVE-2026-31586",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31586"
    },
    {
      "name": "CVE-2026-31721",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31721"
    },
    {
      "name": "CVE-2026-31655",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31655"
    },
    {
      "name": "CVE-2026-31711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31711"
    },
    {
      "name": "CVE-2026-31611",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31611"
    },
    {
      "name": "CVE-2026-31431",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
    },
    {
      "name": "CVE-2026-31599",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31599"
    },
    {
      "name": "CVE-2026-31668",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31668"
    },
    {
      "name": "CVE-2026-31583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31583"
    },
    {
      "name": "CVE-2026-31605",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31605"
    },
    {
      "name": "CVE-2026-31681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31681"
    },
    {
      "name": "CVE-2026-43033",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-43033"
    },
    {
      "name": "CVE-2026-31622",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31622"
    },
    {
      "name": "CVE-2026-31595",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31595"
    },
    {
      "name": "CVE-2026-31642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31642"
    },
    {
      "name": "CVE-2026-31659",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31659"
    },
    {
      "name": "CVE-2026-31638",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31638"
    },
    {
      "name": "CVE-2026-31588",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31588"
    },
    {
      "name": "CVE-2026-31689",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31689"
    },
    {
      "name": "CVE-2026-31697",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31697"
    },
    {
      "name": "CVE-2026-31670",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31670"
    },
    {
      "name": "CVE-2026-31533",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31533"
    },
    {
      "name": "CVE-2026-31615",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31615"
    },
    {
      "name": "CVE-2026-31594",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31594"
    },
    {
      "name": "CVE-2026-31661",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31661"
    },
    {
      "name": "CVE-2026-31705",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31705"
    },
    {
      "name": "CVE-2026-31684",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31684"
    },
    {
      "name": "CVE-2026-31625",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31625"
    },
    {
      "name": "CVE-2026-31669",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31669"
    },
    {
      "name": "CVE-2026-31671",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31671"
    },
    {
      "name": "CVE-2026-31694",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31694"
    },
    {
      "name": "CVE-2026-31699",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31699"
    },
    {
      "name": "CVE-2026-31628",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31628"
    },
    {
      "name": "CVE-2026-31662",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31662"
    },
    {
      "name": "CVE-2026-31627",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31627"
    },
    {
      "name": "CVE-2026-31665",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31665"
    },
    {
      "name": "CVE-2026-31672",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31672"
    },
    {
      "name": "CVE-2026-31626",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31626"
    },
    {
      "name": "CVE-2026-31634",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31634"
    },
    {
      "name": "CVE-2026-31610",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31610"
    },
    {
      "name": "CVE-2026-31648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31648"
    },
    {
      "name": "CVE-2026-31660",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31660"
    },
    {
      "name": "CVE-2026-31607",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31607"
    },
    {
      "name": "CVE-2026-31637",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31637"
    },
    {
      "name": "CVE-2026-31612",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31612"
    },
    {
      "name": "CVE-2026-31590",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31590"
    },
    {
      "name": "CVE-2026-31604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31604"
    },
    {
      "name": "CVE-2026-31532",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31532"
    },
    {
      "name": "CVE-2026-31430",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31430"
    },
    {
      "name": "CVE-2026-31596",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31596"
    },
    {
      "name": "CVE-2026-31676",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31676"
    },
    {
      "name": "CVE-2026-31603",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31603"
    },
    {
      "name": "CVE-2026-31649",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31649"
    },
    {
      "name": "CVE-2026-31577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31577"
    },
    {
      "name": "CVE-2026-31702",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31702"
    },
    {
      "name": "CVE-2026-31587",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31587"
    },
    {
      "name": "CVE-2026-31708",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31708"
    },
    {
      "name": "CVE-2026-31651",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31651"
    },
    {
      "name": "CVE-2026-31657",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31657"
    },
    {
      "name": "CVE-2026-31624",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31624"
    },
    {
      "name": "CVE-2026-31585",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31585"
    },
    {
      "name": "CVE-2026-31646",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31646"
    },
    {
      "name": "CVE-2026-31700",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31700"
    },
    {
      "name": "CVE-2026-31639",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31639"
    },
    {
      "name": "CVE-2026-31508",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31508"
    },
    {
      "name": "CVE-2026-31629",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31629"
    },
    {
      "name": "CVE-2026-31673",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31673"
    },
    {
      "name": "CVE-2026-31667",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-31667"
    }
  ],
  "initial_release_date": "2026-05-04T00:00:00",
  "last_revision_date": "2026-05-04T00:00:00",
  "links": [],
  "reference": "CERTFR-2026-AVI-0526",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2026-05-04T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Microsoft. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
  "vendor_advisories": [
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31629",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31629"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31639",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31639"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31694",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31694"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31662",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31662"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31651",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31651"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31661",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31661"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31671",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31671"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31656",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31656"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31595",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31595"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31700",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31700"
    },
    {
      "published_at": "2026-04-22",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31430",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31430"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31599",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31599"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31685",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31685"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31607",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31607"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31659",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31659"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31673",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31673"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31612",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31612"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31638",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31638"
    },
    {
      "published_at": "2026-04-24",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31532",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31532"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31625",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31625"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31586",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31586"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31649",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31649"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31676",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31676"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31684",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31684"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31657",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31657"
    },
    {
      "published_at": "2026-04-23",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31431",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31431"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31585",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31585"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31611",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31611"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31637",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31637"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31689",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31689"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31624",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31624"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31615",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31615"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31627",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31627"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31642",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31642"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31704",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31704"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31668",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31668"
    },
    {
      "published_at": "2026-04-30",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31508",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31508"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31578",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31578"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31696",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31696"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31587",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31587"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31577",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31577"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31711",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31711"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31626",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31626"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31670",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31670"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31583",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31583"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31618",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31618"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31708",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31708"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31588",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31588"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31658",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31658"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31705",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31705"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31669",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31669"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31623",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31623"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31622",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31622"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31603",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31603"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31594",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31594"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31721",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31721"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31660",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31660"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31628",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31628"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-43033",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43033"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31619",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31619"
    },
    {
      "published_at": "2026-04-29",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31648",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31648"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31698",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31698"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31655",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31655"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31699",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31699"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31634",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31634"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31665",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31665"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31605",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31605"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31597",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31597"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31697",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31697"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31664",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31664"
    },
    {
      "published_at": "2026-05-02",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31702",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31702"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31590",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31590"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31596",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31596"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31681",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31681"
    },
    {
      "published_at": "2026-05-01",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31533",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31533"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31610",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31610"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31667",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31667"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31604",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31604"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31672",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31672"
    },
    {
      "published_at": "2026-04-26",
      "title": "Bulletin de s\u00e9curit\u00e9 Microsoft CVE-2026-31646",
      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-31646"
    }
  ]
}

GHSA-JV6M-V86W-343P

Vulnerability from github – Published: 2026-04-24 15:32 – Updated: 2026-04-27 15:30

Details

In the Linux kernel, the following vulnerability has been resolved:

net: stmmac: fix integer underflow in chain mode

The jumbo_frm() chain-mode implementation unconditionally computes

len = nopaged_len - bmax;

where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments):

is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc);

When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware.

Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-31649"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-24T15:16:44Z",
    "severity": "CRITICAL"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix integer underflow in chain mode\n\nThe jumbo_frm() chain-mode implementation unconditionally computes\n\n    len = nopaged_len - bmax;\n\nwhere nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is\nBUF_SIZE_8KiB or BUF_SIZE_2KiB.  However, the caller stmmac_xmit()\ndecides to invoke jumbo_frm() based on skb-\u003elen (total length including\npage fragments):\n\n    is_jumbo = stmmac_is_jumbo_frm(priv, skb-\u003elen, enh_desc);\n\nWhen a packet has a small linear portion (nopaged_len \u003c= bmax) but a\nlarge total length due to page fragments (skb-\u003elen \u003e bmax), the\nsubtraction wraps as an unsigned integer, producing a huge len value\n(~0xFFFFxxxx).  This causes the while (len != 0) loop to execute\nhundreds of thousands of iterations, passing skb-\u003edata + bmax * i\npointers far beyond the skb buffer to dma_map_single().  On IOMMU-less\nSoCs (the typical deployment for stmmac), this maps arbitrary kernel\nmemory to the DMA engine, constituting a kernel memory disclosure and\npotential memory corruption from hardware.\n\nFix this by introducing a buf_len local variable clamped to\nmin(nopaged_len, bmax).  Computing len = nopaged_len - buf_len is then\nalways safe: it is zero when the linear portion fits within a single\ndescriptor, causing the while (len != 0) loop to be skipped naturally,\nand the fragment loop in stmmac_xmit() handles page fragments afterward.",
  "id": "GHSA-jv6m-v86w-343p",
  "modified": "2026-04-27T15:30:46Z",
  "published": "2026-04-24T15:32:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31649"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/10d12b9240ebf96c785f0e2e4228318cd5f3a3eb"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/275bdf762e82082f064e60a92448fa2ac43cf95b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2c91b39912278d0878f9ba60ba04d2518b18a08d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/513e06735f5be575b409d195822195348b164e48"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/51f4e090b9f87b40c21b6daadb5c06e6c0a07b67"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6fca757c20396dc2e604dcc61922264e9e3dc803"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a2b68a9a476b9544ff31f1fbcd5d80867a8a5e2f"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b7b8012193fd98236d7ae05d4b553f010a77b2ef"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-31649 (GCVE-0-2026-31649)

MSRC_CVE-2026-31649

FKIE_CVE-2026-31649

CERTFR-2026-AVI-0526

Solutions

GHSA-JV6M-V86W-343P

Tags

Sightings

Nomenclature