CVE-2026-22993
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-04-02
Generated
2026-05-06
AI Q&A
2026-01-23
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22993
EUVD
EUVD-2026-4301
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.7 (inc) to 6.18.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability occurs in the Linux kernel's idpf driver where, after a soft reset, the RSS LUT (Receive Side Scaling Lookup Table) is freed but not restored unless the network interface is up. If an ethtool command tries to access the RSS LUT immediately after the reset, it causes a NULL pointer dereference, leading to a kernel crash. The issue arises because the RSS LUT is reset only if the queue count changes and the LUT was not user-configured; otherwise, it is left untouched, which can cause invalid memory access.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference, resulting in a kernel crash (Oops) when certain ethtool commands are run immediately after a soft reset that changes the queue count. This can lead to system instability or denial of service on affected Linux systems using the idpf driver.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by reproducing the conditions that cause the issue and observing for a kernel NULL pointer dereference error. The steps include bringing the network interface down, updating the queue count, and then attempting to display the RSS LUT. The commands are: 1. Bring the interface down: ifconfig eth1 down 2. Update the queue count: ethtool -L eth1 combined 20 3. Display the RSS LUT: ethtool -x eth1 If the system logs show kernel NULL pointer dereference errors after these commands, the vulnerability is present.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves ensuring that after a soft reset, the RSS LUT is only reset to default values if the reset was due to a queue count change and the LUT was not configured by the user. Avoid accessing the RSS LUT immediately after a soft reset if the interface is not up. Also, avoid resetting the RSS LUT unnecessarily if the soft reset does not involve a queue count change.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart