CVE-2026-23035
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-31

Last updated on: 2026-02-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-31
Last Modified
2026-02-03
Generated
2026-05-07
AI Q&A
2026-01-31
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23035
EUVD
EUVD-2026-5059
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mlx mlx5e *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a kernel oops (crash) in the Linux kernel's mlx5e driver, which handles Mellanox network devices. It occurs when the switchdev mode fails due to a profile change failure. The issue arises because the mlx5e_priv structure can be zeroed out (memset(0)) if profile attaching fails, leading to invalid memory access during cleanup in mlx5e_remove. The fix involves passing a valid netdev pointer to mlx5e_destroy_netdev and checking the validity of priv->profile before cleanup to prevent the kernel from dereferencing a NULL pointer and crashing.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel oops) when the mlx5e driver attempts to remove a network device after a failed profile change in switchdev mode. This can lead to system instability, potential downtime, and disruption of network services on affected systems using Mellanox mlx5e devices.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing error messages related to mlx5e in the system logs, especially when attempting to set the eswitch mode to switchdev or reload the device. Commands such as 'devlink dev eswitch set pci/0000:00:03.0 mode switchdev' may produce errors like 'mlx5_core: Failed setting eswitch to offloads.' Additionally, checking the kernel log with 'dmesg' for messages including 'mlx5e_priv_init failed', 'Failed to create a rescuer kthread for wq "mlx5e"', or kernel oops related to mlx5e_remove can indicate the presence of this issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation involves avoiding operations that trigger the mlx5e_remove function when the profile attaching fails, such as not setting the eswitch mode to switchdev or reloading the device until the kernel is updated with the fix. Monitoring for the specific error messages and kernel oops can help avoid unstable states. Ultimately, applying the kernel patch that passes netdev to mlx5e_destroy_netdev and checks the validity of priv->profile before cleanup will resolve the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart