CVE-2026-43371 (GCVE-0-2026-43371)

Vulnerability from cvelistv5 – Published: 2026-05-08 14:21 – Updated: 2026-05-08 14:21
VLAI?
Title
net: macb: Shuffle the tx ring before enabling tx
Summary
In the Linux kernel, the following vulnerability has been resolved: net: macb: Shuffle the tx ring before enabling tx Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver. According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register. In the current implementation, the code merely resets `queue->tx_head` and `queue->tx_tail` to '0'. This approach presents several issues: - Packets already queued in the tx ring are silently lost, leading to memory leaks since the associated skbs cannot be released. - Concurrent write access to `queue->tx_head` and `queue->tx_tail` may occur from `macb_tx_poll()` or `macb_start_xmit()` when these values are reset to '0'. - The transmission may become stuck on a packet that has already been sent out, with its 'TX_USED' bit set, but has not yet been processed. However, due to the manipulation of 'queue->tx_head' and 'queue->tx_tail', `macb_tx_poll()` incorrectly assumes there are no packets to handle because `queue->tx_head == queue->tx_tail`. This issue is only resolved when a new packet is placed at this position. This is the root cause of the prolonged recovery time observed for the NFS root filesystem. To resolve this issue, shuffle the tx ring and tx skb array so that the first unsent packet is positioned at the start of the tx ring. Additionally, ensure that updates to `queue->tx_head` and `queue->tx_tail` are properly protected with the appropriate lock. [1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: d89b8b17057e16fad4564c71160e68ca549c1b42 , < c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7 (git)
Affected: ec4445ae9e58aed88561d3d1dfa849b039c7782e , < 0a47c3889fcd843c72aa57fa8c4d06f5801fced4 (git)
Affected: 6e704e89f16fd4a1145756210bc210f14f174f94 , < 88f974fe118cb4653f029929ecbca7cfe06132ae (git)
Affected: 316d9fe71fb18bc9b1dba464fdb68dd201315eba , < 58f5d34f88e8f00910b692537f7b2efdb8c3705d (git)
Affected: b3a7aa33ca7d46be513fccf832d3540acfe587d0 , < 403182e0771b250cfde0fe7e1081d095ceaf8230 (git)
Affected: bf9cf80cab81e39701861a42877a28295ade266f , < 881a0263d502e1a93ebc13a78254e9ad19520232 (git)
Create a notification for this product.
    Linux Linux Affected: 6.1.165 , < 6.1.167 (semver)
Affected: 6.6.128 , < 6.6.130 (semver)
Affected: 6.12.75 , < 6.12.78 (semver)
Affected: 6.18.16 , < 6.18.20 (semver)
Affected: 6.19.6 , < 6.19.9 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/cadence/macb_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7",
              "status": "affected",
              "version": "d89b8b17057e16fad4564c71160e68ca549c1b42",
              "versionType": "git"
            },
            {
              "lessThan": "0a47c3889fcd843c72aa57fa8c4d06f5801fced4",
              "status": "affected",
              "version": "ec4445ae9e58aed88561d3d1dfa849b039c7782e",
              "versionType": "git"
            },
            {
              "lessThan": "88f974fe118cb4653f029929ecbca7cfe06132ae",
              "status": "affected",
              "version": "6e704e89f16fd4a1145756210bc210f14f174f94",
              "versionType": "git"
            },
            {
              "lessThan": "58f5d34f88e8f00910b692537f7b2efdb8c3705d",
              "status": "affected",
              "version": "316d9fe71fb18bc9b1dba464fdb68dd201315eba",
              "versionType": "git"
            },
            {
              "lessThan": "403182e0771b250cfde0fe7e1081d095ceaf8230",
              "status": "affected",
              "version": "b3a7aa33ca7d46be513fccf832d3540acfe587d0",
              "versionType": "git"
            },
            {
              "lessThan": "881a0263d502e1a93ebc13a78254e9ad19520232",
              "status": "affected",
              "version": "bf9cf80cab81e39701861a42877a28295ade266f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/cadence/macb_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6.1.167",
              "status": "affected",
              "version": "6.1.165",
              "versionType": "semver"
            },
            {
              "lessThan": "6.6.130",
              "status": "affected",
              "version": "6.6.128",
              "versionType": "semver"
            },
            {
              "lessThan": "6.12.78",
              "status": "affected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThan": "6.18.20",
              "status": "affected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThan": "6.19.9",
              "status": "affected",
              "version": "6.19.6",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.167",
                  "versionStartIncluding": "6.1.165",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.130",
                  "versionStartIncluding": "6.6.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.78",
                  "versionStartIncluding": "6.12.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.20",
                  "versionStartIncluding": "6.18.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.9",
                  "versionStartIncluding": "6.19.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue-\u003etx_head`\nand `queue-\u003etx_tail` to \u00270\u0027. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n  leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue-\u003etx_head` and `queue-\u003etx_tail` may\n  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n  are reset to \u00270\u0027.\n\n- The transmission may become stuck on a packet that has already been sent\n  out, with its \u0027TX_USED\u0027 bit set, but has not yet been processed. However,\n  due to the manipulation of \u0027queue-\u003etx_head\u0027 and \u0027queue-\u003etx_tail\u0027,\n  `macb_tx_poll()` incorrectly assumes there are no packets to handle\n  because `queue-\u003etx_head == queue-\u003etx_tail`. This issue is only resolved\n  when a new packet is placed at this position. This is the root cause of\n  the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue-\u003etx_head` and\n`queue-\u003etx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T14:21:22.577Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4"
        },
        {
          "url": "https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d"
        },
        {
          "url": "https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230"
        },
        {
          "url": "https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232"
        }
      ],
      "title": "net: macb: Shuffle the tx ring before enabling tx",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43371",
    "datePublished": "2026-05-08T14:21:22.577Z",
    "dateReserved": "2026-05-01T14:12:56.006Z",
    "dateUpdated": "2026-05-08T14:21:22.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43371",
      "date": "2026-05-09",
      "epss": "0.00024",
      "percentile": "0.07036"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43371\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-08T15:16:48.187\",\"lastModified\":\"2026-05-08T15:16:48.187\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnet: macb: Shuffle the tx ring before enabling tx\\n\\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\\nthe rootfs may take an extended time to recover after a suspend.\\nUpon investigation, it was determined that the issue originates from a\\nproblem in the macb driver.\\n\\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\\nthe transmit buffer queue pointer resets to point to the address\\nspecified by the transmit buffer queue base address register.\\n\\nIn the current implementation, the code merely resets `queue-\u003etx_head`\\nand `queue-\u003etx_tail` to \u00270\u0027. This approach presents several issues:\\n\\n- Packets already queued in the tx ring are silently lost,\\n  leading to memory leaks since the associated skbs cannot be released.\\n\\n- Concurrent write access to `queue-\u003etx_head` and `queue-\u003etx_tail` may\\n  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\\n  are reset to \u00270\u0027.\\n\\n- The transmission may become stuck on a packet that has already been sent\\n  out, with its \u0027TX_USED\u0027 bit set, but has not yet been processed. However,\\n  due to the manipulation of \u0027queue-\u003etx_head\u0027 and \u0027queue-\u003etx_tail\u0027,\\n  `macb_tx_poll()` incorrectly assumes there are no packets to handle\\n  because `queue-\u003etx_head == queue-\u003etx_tail`. This issue is only resolved\\n  when a new packet is placed at this position. This is the root cause of\\n  the prolonged recovery time observed for the NFS root filesystem.\\n\\nTo resolve this issue, shuffle the tx ring and tx skb array so that\\nthe first unsent packet is positioned at the start of the tx ring.\\nAdditionally, ensure that updates to `queue-\u003etx_head` and\\n`queue-\u003etx_tail` are properly protected with the appropriate lock.\\n\\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.