Memory Leak Affecting kernel-uek-modules-wireless package, versions <0:6.12.0-204.92.4.2.el9uek


Severity

Recommended
high

Based on Oracle Linux security rating.

Threat Intelligence

EPSS
0.12% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ORACLE9-KERNELUEKMODULESWIRELESS-17867832
  • published6 Jul 2026
  • disclosed8 May 2026

Introduced: 8 May 2026

CVE-2026-43371  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

Upgrade Oracle:9 kernel-uek-modules-wireless to version 0:6.12.0-204.92.4.2.el9uek or higher.
This issue was patched in ELSA-2026-50372.

NVD Description

Note: Versions mentioned in the description apply only to the upstream kernel-uek-modules-wireless package and not the kernel-uek-modules-wireless package as distributed by Oracle. See How to fix? for Oracle:9 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

net: macb: Shuffle the tx ring before enabling tx

Quanyang observed that when using an NFS rootfs on an AMD ZynqMp board, the rootfs may take an extended time to recover after a suspend. Upon investigation, it was determined that the issue originates from a problem in the macb driver.

According to the Zynq UltraScale TRM [1], when transmit is disabled, the transmit buffer queue pointer resets to point to the address specified by the transmit buffer queue base address register.

In the current implementation, the code merely resets queue-&gt;tx_head and queue-&gt;tx_tail to '0'. This approach presents several issues:

  • Packets already queued in the tx ring are silently lost, leading to memory leaks since the associated skbs cannot be released.

  • Concurrent write access to queue-&gt;tx_head and queue-&gt;tx_tail may occur from macb_tx_poll() or macb_start_xmit() when these values are reset to '0'.

  • The transmission may become stuck on a packet that has already been sent out, with its 'TX_USED' bit set, but has not yet been processed. However, due to the manipulation of 'queue->tx_head' and 'queue->tx_tail', macb_tx_poll() incorrectly assumes there are no packets to handle because queue-&gt;tx_head == queue-&gt;tx_tail. This issue is only resolved when a new packet is placed at this position. This is the root cause of the prolonged recovery time observed for the NFS root filesystem.

To resolve this issue, shuffle the tx ring and tx skb array so that the first unsent packet is positioned at the start of the tx ring. Additionally, ensure that updates to queue-&gt;tx_head and queue-&gt;tx_tail are properly protected with the appropriate lock.

[1] https://docs.amd.com/v/u/en-US/ug1085-zynq-ultrascale-trm

CVSS Base Scores

version 3.1