CVE-2026-23210
Unknown Unknown - Not Provided
NULL Pointer Dereference in Linux ice Driver PTP VSI Rebuild

Publication date: 2026-02-14

Last updated on: 2026-04-02

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: Fix PTP NULL pointer dereference during VSI rebuild Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings. The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3. VSI rebuild happens AFTER ice_ptp_rebuild() 4. PTP work runs and accesses NULL vsi->rx_rings Fix: Keep PTP work cancelled during rebuild, only queue it after VSI rebuild completes in ice_rebuild(). Added ice_ptp_queue_work() helper function to encapsulate the logic for queuing PTP work, ensuring it's only queued when PTP is supported and the state is ICE_PTP_READY. Error log: [ 121.392544] ice 0000:60:00.1: PTP reset successful [ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 121.392712] #PF: supervisor read access in kernel mode [ 121.392720] #PF: error_code(0x0000) - not-present page [ 121.392727] PGD 0 [ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI [ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary) [ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC [ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice] [ 121.393042] Call Trace: [ 121.393047] <TASK> [ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice] [ 121.393202] kthread_worker_fn+0xa2/0x260 [ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice] [ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10 [ 121.393371] kthread+0x10d/0x230 [ 121.393382] ? __pfx_kthread+0x10/0x10 [ 121.393393] ret_from_fork+0x273/0x2b0 [ 121.393407] ? __pfx_kthread+0x10/0x10 [ 121.393417] ret_from_fork_asm+0x1a/0x30 [ 121.393432] </TASK>
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-04-02
Generated
2026-05-27
AI Q&A
2026-02-14
EPSS Evaluated
2026-05-25
NVD
CVE-2026-23210
EUVD
EUVD-2026-5836
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel 6.19
linux linux_kernel From 6.9 (inc) to 6.18.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ice driver, specifically related to the Precision Time Protocol (PTP) functionality during a VSI (Virtual Station Interface) rebuild.

A race condition occurs where PTP periodic work runs while the VSI is being rebuilt, causing the code to access a NULL pointer (vsi->rx_rings). This happens because the PTP work is queued immediately after ice_ptp_rebuild() but before the VSI rebuild completes, leading to a NULL pointer dereference and a kernel crash.

The fix involves keeping the PTP work cancelled during the VSI rebuild and only queuing it after the rebuild completes, preventing the NULL pointer access.


How can this vulnerability impact me? :

This vulnerability can cause a kernel NULL pointer dereference, leading to a kernel crash (Oops) and potentially causing system instability or denial of service.

If exploited or triggered, it could disrupt network time synchronization services relying on PTP, affecting time-sensitive applications or systems.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring the system kernel logs for specific error messages related to the ice driver and PTP NULL pointer dereference.

  • Look for error logs similar to: "BUG: kernel NULL pointer dereference, address: 0000000000000000" and "ice 0000:60:00.1: PTP reset successful".
  • Check kernel logs using the command: dmesg | grep -i 'ice\|PTP\|NULL pointer dereference'
  • Alternatively, monitor /var/log/kern.log or /var/log/messages for these error patterns.

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that your Linux kernel is updated to a version where the ice driver has the fix applied.

The fix involves keeping PTP work cancelled during VSI rebuild and only queuing it after the rebuild completes, preventing the NULL pointer dereference.

If updating the kernel immediately is not possible, monitor for the error logs and consider temporarily disabling PTP support on affected devices to avoid triggering the race condition.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart