What is CVE-2026-45940?

CVE-2026-45940 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 5.4 onward and patched in 6.18.14, 6.19.4 and 7.0. CVE-2026-45940 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-45940?

CVE-2026-45940 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-45940?

Yes, CVE-2026-45940 has been patched. Fixed versions include 6.18.14, 6.19.4 and 7.0. If you are running Linux kernel 5.4 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-45940 actively exploited?

CVE-2026-45940 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-45940

In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix oops when split header is enabled For GMAC4, when split header is enabled, in some rare cases, the hardware does not fill buf2 of the first descriptor with payload. Thus we cannot assume buf2 is always fully filled if it is not the last descriptor. Otherwise, the length of buf2 of the second descriptor will be calculated wrong and cause an oops: Unable to handle kernel paging request at virtual address ffff00019246bfc0 ... x2 : 0000000000000040 x1 : ffff00019246bfc0 x0 : ffff00009246c000 Call trace: dcache_inval_poc+0x28/0x58 (P) dma_direct_sync_single_for_cpu+0x38/0x6c __dma_sync_single_for_cpu+0x34/0x6c stmmac_napi_poll_rx+0x8f0/0xb60 __napi_poll.constprop.0+0x30/0x144 net_rx_action+0x160/0x274 handle_softirqs+0x1b8/0x1fc ... To fix this, the PL bit-field in RDES3 register is used for all descriptors, whether it is the last descriptor or not.

Package Linux Kernel

Published 2026-05-27

Last modified 2026-05-27

Patch available

Yes

Affected versions

Linux kernel versions 5.4 and later are affected. Fixed in 6.18.14, 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 5.4

Fixed in

✓ 6.18.14 6.18.x ✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-45940 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/36f81cb7d82e9614a7058da6abdf2e3a03993df1
Patch
Kernel patch commit
https://git.kernel.org/stable/c/b1f23df09e7dbf4c86b6908dff7efb8cb2b7d609
Patch
Kernel patch commit
https://git.kernel.org/stable/c/babab1b42ed68877ef669a08384becf281ad2582
Patch

Frequently asked questions

What is CVE-2026-45940?

CVE-2026-45940 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 5.4 onward and has been patched in 6.18.14, 6.19.4 and 7.0. CVE-2026-45940 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-45940?

Yes — CVE-2026-45940 has been patched. Fixed versions include 6.18.14, 6.19.4 and 7.0. If you are running Linux kernel 5.4 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-45940 actively exploited?

No — CVE-2026-45940 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.