CVE-2026-23041
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux bnxt_en Driver Causes Crash

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-05-07
AI Q&A
2026-02-04
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23041
EUVD
EUVD-2026-5506
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
broadcom bnxt_en *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's Broadcom bnxt_en network driver. It occurs when the initialization function bnxt_init_one() fails, triggering an error cleanup path that frees hardware resources and sets a DMA pool pointer to NULL. Later, during cleanup, the function bnxt_ptp_clear() calls ptp_clock_unregister(), which disables PTP events by calling the driver's enable callback bnxt_ptp_enable(). This callback tries to send hardware commands that require accessing the DMA pool, but since the pool pointer is NULL, it causes a NULL pointer dereference and a kernel crash.

The root cause is that ptp_clock_unregister() calls ptp_disable_all_events(), which calls bnxt_ptp_enable() after the DMA pool has already been freed, leading to the NULL pointer dereference. The fix involves clearing and unregistering the PTP clock before freeing the hardware resources.


How can this vulnerability impact me? :

This vulnerability can cause a NULL pointer dereference in the Linux kernel, leading to a kernel crash (panic) or system instability when the bnxt_en network driver encounters an initialization failure. This can result in denial of service (DoS) conditions on affected systems, potentially disrupting network connectivity and impacting system availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by ensuring that the ptp (Precision Time Protocol) is cleared and unregistered before freeing HWRM resources in the bnxt driver.

Specifically, the fix involves calling bnxt_ptp_clear() before bnxt_free_hwrm_resources() during error cleanup in the bnxt driver initialization process.

To mitigate this vulnerability immediately, update your Linux kernel to a version that includes this fix (post commit f8f9c1f4d0c7, Linux 6.19-rc3 or later).


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart