{"api_version":"1","generated_at":"2026-05-12T13:31:20+00:00","cve":"CVE-2026-43371","urls":{"html":"https://cve.report/CVE-2026-43371","api":"https://cve.report/api/cve/CVE-2026-43371.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43371","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43371"},"summary":{"title":"net: macb: Shuffle the tx ring before enabling tx","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue->tx_head`\nand `queue->tx_tail` to '0'. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n  leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may\n  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n  are reset to '0'.\n\n- The transmission may become stuck on a packet that has already been sent\n  out, with its 'TX_USED' bit set, but has not yet been processed. However,\n  due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',\n  `macb_tx_poll()` incorrectly assumes there are no packets to handle\n  because `queue->tx_head == queue->tx_tail`. This issue is only resolved\n  when a new packet is placed at this position. This is the root cause of\n  the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue->tx_head` and\n`queue->tx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-08 15:16:48","updated_at":"2026-05-08 15:16:48"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7","name":"https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230","name":"https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae","name":"https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4","name":"https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d","name":"https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232","name":"https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43371","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43371","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected d89b8b17057e16fad4564c71160e68ca549c1b42 c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected ec4445ae9e58aed88561d3d1dfa849b039c7782e 0a47c3889fcd843c72aa57fa8c4d06f5801fced4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6e704e89f16fd4a1145756210bc210f14f174f94 88f974fe118cb4653f029929ecbca7cfe06132ae git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 316d9fe71fb18bc9b1dba464fdb68dd201315eba 58f5d34f88e8f00910b692537f7b2efdb8c3705d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected b3a7aa33ca7d46be513fccf832d3540acfe587d0 403182e0771b250cfde0fe7e1081d095ceaf8230 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected bf9cf80cab81e39701861a42877a28295ade266f 881a0263d502e1a93ebc13a78254e9ad19520232 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.1.165 6.1.167 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.6.128 6.6.130 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.12.75 6.12.78 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.18.16 6.18.20 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19.6 6.19.9 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"43371","cve":"CVE-2026-43371","epss":"0.000240000","percentile":"0.070210000","score_date":"2026-05-11","updated_at":"2026-05-12 00:01:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/cadence/macb_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7","status":"affected","version":"d89b8b17057e16fad4564c71160e68ca549c1b42","versionType":"git"},{"lessThan":"0a47c3889fcd843c72aa57fa8c4d06f5801fced4","status":"affected","version":"ec4445ae9e58aed88561d3d1dfa849b039c7782e","versionType":"git"},{"lessThan":"88f974fe118cb4653f029929ecbca7cfe06132ae","status":"affected","version":"6e704e89f16fd4a1145756210bc210f14f174f94","versionType":"git"},{"lessThan":"58f5d34f88e8f00910b692537f7b2efdb8c3705d","status":"affected","version":"316d9fe71fb18bc9b1dba464fdb68dd201315eba","versionType":"git"},{"lessThan":"403182e0771b250cfde0fe7e1081d095ceaf8230","status":"affected","version":"b3a7aa33ca7d46be513fccf832d3540acfe587d0","versionType":"git"},{"lessThan":"881a0263d502e1a93ebc13a78254e9ad19520232","status":"affected","version":"bf9cf80cab81e39701861a42877a28295ade266f","versionType":"git"}]},{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/cadence/macb_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"6.1.167","status":"affected","version":"6.1.165","versionType":"semver"},{"lessThan":"6.6.130","status":"affected","version":"6.6.128","versionType":"semver"},{"lessThan":"6.12.78","status":"affected","version":"6.12.75","versionType":"semver"},{"lessThan":"6.18.20","status":"affected","version":"6.18.16","versionType":"semver"},{"lessThan":"6.19.9","status":"affected","version":"6.19.6","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"6.1.165","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"6.6.128","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"6.12.75","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"6.18.16","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.9","versionStartIncluding":"6.19.6","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue->tx_head`\nand `queue->tx_tail` to '0'. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n  leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may\n  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n  are reset to '0'.\n\n- The transmission may become stuck on a packet that has already been sent\n  out, with its 'TX_USED' bit set, but has not yet been processed. However,\n  due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',\n  `macb_tx_poll()` incorrectly assumes there are no packets to handle\n  because `queue->tx_head == queue->tx_tail`. This issue is only resolved\n  when a new packet is placed at this position. This is the root cause of\n  the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue->tx_head` and\n`queue->tx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm"}],"providerMetadata":{"dateUpdated":"2026-05-08T14:21:22.577Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/c6783bfa31a59f34fe4feb1bdbf67791ef3fb0b7"},{"url":"https://git.kernel.org/stable/c/0a47c3889fcd843c72aa57fa8c4d06f5801fced4"},{"url":"https://git.kernel.org/stable/c/88f974fe118cb4653f029929ecbca7cfe06132ae"},{"url":"https://git.kernel.org/stable/c/58f5d34f88e8f00910b692537f7b2efdb8c3705d"},{"url":"https://git.kernel.org/stable/c/403182e0771b250cfde0fe7e1081d095ceaf8230"},{"url":"https://git.kernel.org/stable/c/881a0263d502e1a93ebc13a78254e9ad19520232"}],"title":"net: macb: Shuffle the tx ring before enabling tx","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43371","datePublished":"2026-05-08T14:21:22.577Z","dateReserved":"2026-05-01T14:12:56.006Z","dateUpdated":"2026-05-08T14:21:22.577Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-08 15:16:48","lastModifiedDate":"2026-05-08 15:16:48","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43371","Ordinal":"1","Title":"net: macb: Shuffle the tx ring before enabling tx","CVE":"CVE-2026-43371","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43371","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macb: Shuffle the tx ring before enabling tx\n\nQuanyang observed that when using an NFS rootfs on an AMD ZynqMp board,\nthe rootfs may take an extended time to recover after a suspend.\nUpon investigation, it was determined that the issue originates from a\nproblem in the macb driver.\n\nAccording to the Zynq UltraScale TRM [1], when transmit is disabled,\nthe transmit buffer queue pointer resets to point to the address\nspecified by the transmit buffer queue base address register.\n\nIn the current implementation, the code merely resets `queue->tx_head`\nand `queue->tx_tail` to '0'. This approach presents several issues:\n\n- Packets already queued in the tx ring are silently lost,\n  leading to memory leaks since the associated skbs cannot be released.\n\n- Concurrent write access to `queue->tx_head` and `queue->tx_tail` may\n  occur from `macb_tx_poll()` or `macb_start_xmit()` when these values\n  are reset to '0'.\n\n- The transmission may become stuck on a packet that has already been sent\n  out, with its 'TX_USED' bit set, but has not yet been processed. However,\n  due to the manipulation of 'queue->tx_head' and 'queue->tx_tail',\n  `macb_tx_poll()` incorrectly assumes there are no packets to handle\n  because `queue->tx_head == queue->tx_tail`. This issue is only resolved\n  when a new packet is placed at this position. This is the root cause of\n  the prolonged recovery time observed for the NFS root filesystem.\n\nTo resolve this issue, shuffle the tx ring and tx skb array so that\nthe first unsent packet is positioned at the start of the tx ring.\nAdditionally, ensure that updates to `queue->tx_head` and\n`queue->tx_tail` are properly protected with the appropriate lock.\n\n[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm","Type":"Description","Title":"net: macb: Shuffle the tx ring before enabling tx"}]}}}