CVE-2026-22996
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-25

Last updated on: 2026-02-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-25
Last Modified
2026-02-26
Generated
2026-05-07
AI Q&A
2026-01-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22996
EUVD
EUVD-2026-4630
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 5.12 (inc) to 6.12.67 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.7 (exc)
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability involves the Linux kernel's mlx5e driver where an unstable structure called mlx5e_priv is improperly stored in mlx5e_dev devlink private data. If profile attaching fails, mlx5e_priv can be zeroed out (memset(0)), but it is still referenced, leading to a kernel NULL pointer dereference (kernel oops) during device removal (mlx5e_remove). The fix involves storing the netdev directly instead of mlx5e_priv to avoid referencing invalid memory.


How can this vulnerability impact me? :

This vulnerability can cause a kernel crash (kernel oops) when the mlx5e driver fails to change or rollback network device profiles, potentially leading to system instability or denial of service on affected systems using the mlx5 driver for network devices.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing error messages and kernel oops logs related to mlx5e device operations. Specifically, running the command `devlink dev eswitch set pci/0000:00:03.0 mode switchdev` may produce errors such as 'mlx5_core: Failed setting eswitch to offloads.' Checking the kernel log with `dmesg` will show messages like 'mlx5e_priv_init failed, err=-12' and workqueue failures. Additionally, running `devlink dev reload pci/0000:00:03.0` may cause a kernel oops with a NULL pointer dereference in mlx5e_remove. Monitoring these commands and logs can help detect the presence of this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves avoiding operations that trigger the vulnerability, such as setting the eswitch mode to switchdev or reloading the mlx5 device using devlink commands that cause the kernel oops. Applying the kernel patch that fixes the handling of mlx5e_priv by storing netdev directly into mlx5e_dev instead of mlx5e_priv is necessary. Until the patch is applied, refrain from changing eswitch profiles or reloading mlx5 devices to prevent kernel crashes.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart