{"id":"CVE-2026-31505","summary":"iavf: fix out-of-bounds writes in iavf_get_ethtool_stats()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\niavf: fix out-of-bounds writes in iavf_get_ethtool_stats()\n\niavf incorrectly uses real_num_tx_queues for ETH_SS_STATS. Since the\nvalue could change in runtime, we should use num_tx_queues instead.\n\nMoreover iavf_get_ethtool_stats() uses num_active_queues while\niavf_get_sset_count() and iavf_get_stat_strings() use\nreal_num_tx_queues, which triggers out-of-bounds writes when we do\n\"ethtool -L\" and \"ethtool -S\" simultaneously [1].\n\nFor example when we change channels from 1 to 8, Thread 3 could be\nscheduled before Thread 2, and out-of-bounds writes could be triggered\nin Thread 3:\n\nThread 1 (ethtool -L)       Thread 2 (work)        Thread 3 (ethtool -S)\niavf_set_channels()\n...\niavf_alloc_queues()\n-\u003e num_active_queues = 8\niavf_schedule_finish_config()\n                                                   iavf_get_sset_count()\n                                                   real_num_tx_queues: 1\n                                                   -\u003e buffer for 1 queue\n                                                   iavf_get_ethtool_stats()\n                                                   num_active_queues: 8\n                                                   -\u003e out-of-bounds!\n                            iavf_finish_config()\n                            -\u003e real_num_tx_queues = 8\n\nUse immutable num_tx_queues in all related functions to avoid the issue.\n\n[1]\n BUG: KASAN: vmalloc-out-of-bounds in iavf_add_one_ethtool_stat+0x200/0x270\n Write of size 8 at addr ffffc900031c9080 by task ethtool/5800\n\n CPU: 1 UID: 0 PID: 5800 Comm: ethtool Not tainted 6.19.0-enjuk-08403-g8137e3db7f1c #241 PREEMPT(full)\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n Call Trace:\n  \u003cTASK\u003e\n  dump_stack_lvl+0x6f/0xb0\n  print_report+0x170/0x4f3\n  kasan_report+0xe1/0x180\n  iavf_add_one_ethtool_stat+0x200/0x270\n  iavf_get_ethtool_stats+0x14c/0x2e0\n  __dev_ethtool+0x3d0c/0x5830\n  dev_ethtool+0x12d/0x270\n  dev_ioctl+0x53c/0xe30\n  sock_do_ioctl+0x1a9/0x270\n  sock_ioctl+0x3d4/0x5e0\n  __x64_sys_ioctl+0x137/0x1c0\n  do_syscall_64+0xf3/0x690\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n RIP: 0033:0x7f7da0e6e36d\n ...\n  \u003c/TASK\u003e\n\n The buggy address belongs to a 1-page vmalloc region starting at 0xffffc900031c9000 allocated at __dev_ethtool+0x3cc9/0x5830\n The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000\n index:0xffff88813a013de0 pfn:0x13a013\n flags: 0x200000000000000(node=0|zone=2)\n raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000\n raw: ffff88813a013de0 0000000000000000 00000001ffffffff 0000000000000000\n page dumped because: kasan: bad access detected\n\n Memory state around the buggy address:\n  ffffc900031c8f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n \u003effffc900031c9080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n                    ^\n  ffffc900031c9100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ffffc900031c9180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8","modified":"2026-06-04T09:14:21.666455932Z","published":"2026-04-22T13:54:24.524Z","related":["SUSE-SU-2026:21841-1","SUSE-SU-2026:21845-1","SUSE-SU-2026:21860-1","SUSE-SU-2026:21876-1","SUSE-SU-2026:21877-1","SUSE-SU-2026:21916-1","SUSE-SU-2026:21919-1","SUSE-SU-2026:2195-1","SUSE-SU-2026:2215-1","SUSE-SU-2026:2216-1","SUSE-SU-2026:2217-1","SUSE-SU-2026:2238-1","openSUSE-SU-2026:20826-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31505.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1f931dee5b726df1940348ec31614d64bac03aa6"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bb85741d2dc2be207353a412f51b83697fcbefcf"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fdf902bf86a80bf15792a1d20a67a5302498d7f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fecacfc95f195b99c71c579a472120d0b4ed65fa"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31505.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31505"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"64430f70ba6fcd5872ac190f4ae3ddee3f48f00d"},{"fixed":"1f931dee5b726df1940348ec31614d64bac03aa6"},{"fixed":"bb85741d2dc2be207353a412f51b83697fcbefcf"},{"fixed":"fdf902bf86a80bf15792a1d20a67a5302498d7f1"},{"fixed":"fecacfc95f195b99c71c579a472120d0b4ed65fa"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31505.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.17.0"},{"fixed":"6.12.80"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.21"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.11"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-31505.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}