CVE-2026-23353
Received Received - Intake
NULL Pointer Dereference in Linux ice Driver Causes ethtool Crash

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1100f1067 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice] Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44 RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000 RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019 R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000 FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0 PKRU: 55555554 Call Trace: <TASK> ice_vsi_cfg_rxq+0xca/0x460 [ice] ice_vsi_cfg_rxqs+0x54/0x70 [ice] ice_loopback_test+0xa9/0x520 [ice] ice_self_test+0x1b9/0x280 [ice] ethtool_self_test+0xe5/0x200 __dev_ethtool+0x1106/0x1a90 dev_ethtool+0xbe/0x1a0 dev_ioctl+0x258/0x4c0 sock_do_ioctl+0xe3/0x130 __x64_sys_ioctl+0xb9/0x100 do_syscall_64+0x7c/0x700 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] It crashes because we have not initialized libeth for the rx ring. Fix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and letting them have a q_vector. It's just a dummy, because the loopback test does not use interrupts, but it contains a napi struct that can be passed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() -> ice_rxq_pp_create().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23353
EUVD
EUVD-2026-15328
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.19.1 (inc) to 6.19.7 (exc)
linux linux_kernel 6.19
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a crash in the Linux kernel related to the ice network driver during the ethtool offline loopback test.

The crash occurs because the driver did not properly initialize the libeth component for the receive (rx) ring after converting ice to use a page pool.

Specifically, the kernel encounters a NULL pointer dereference leading to a crash when running the loopback test, due to missing initialization of a dummy q_vector that contains a napi struct needed by libeth.

The fix involved treating ICE_VSI_LB VSIs more like normal PF VSIs by providing this dummy q_vector to avoid the crash.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash when performing the ethtool offline loopback test on systems using the ice network driver.

A kernel crash can lead to system instability, downtime, and potential loss of data or network connectivity during the test.

However, the issue is specifically triggered by the loopback test and does not indicate a direct security breach or data compromise.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability causes a crash in the Linux kernel when running the ethtool offline loopback test on the ice driver. Detection can be done by observing kernel crash logs or oops messages related to the ice driver during the ethtool loopback test.

You can attempt to detect the vulnerability by running the following command on a system using the ice driver:

  • ethtool --test <interface> offline

If the system crashes or logs kernel oops messages referencing ice_alloc_rx_bufs or NULL pointer dereference in the ice driver, it indicates the presence of this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by updating the Linux kernel to a version where the ice driver properly initializes the rx ring for the ethtool offline loopback test.

Immediate mitigation steps include:

  • Avoid running the ethtool offline loopback test on interfaces using the ice driver until the kernel is updated.
  • Update the Linux kernel to a version that includes the fix for this vulnerability (post 6.19.0-0.rc7 or later where the fix is applied).
  • Monitor kernel logs for crashes related to the ice driver and avoid triggering the loopback test in automated scripts or monitoring tools.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart