CVE-2026-23438
Received Received - Intake
NULL Pointer Dereference in Linux mvpp2 Driver Causes Kernel Crash

Publication date: 2026-04-03

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains NULL and priv->global_tx_fc is false. Any operation that triggers mvpp2_bm_switch_buffers(), for example an MTU change that crosses the jumbo frame threshold, will crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits pc : readl+0x0/0x18 lr : mvpp2_cm3_read.isra.0+0x14/0x20 Call trace: readl+0x0/0x18 mvpp2_bm_pool_update_fc+0x40/0x12c mvpp2_bm_pool_update_priv_fc+0x94/0xd8 mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 mvpp2_change_mtu+0x140/0x380 __dev_set_mtu+0x1c/0x38 dev_set_mtu_ext+0x78/0x118 dev_set_mtu+0x48/0xa8 dev_ifsioc+0x21c/0x43c dev_ioctl+0x2d8/0x42c sock_ioctl+0x314/0x378 Every other flow control call site in the driver already guards hardware access with either priv->global_tx_fc or port->tx_fc. mvpp2_bm_switch_buffers() is the only place that omits this check. Add the missing priv->global_tx_fc guard to both the disable and re-enable calls in mvpp2_bm_switch_buffers(), consistent with the rest of the driver.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23438
EUVD
EUVD-2026-18679
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.12
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.2 (inc) to 6.6.130 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.167 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.78 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.20 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.10 (exc)
linux linux_kernel From 5.12.1 (inc) to 5.15.203 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's mvpp2 network driver, specifically in the function mvpp2_bm_switch_buffers(). This function switches between per-CPU and shared buffer pool modes and calls mvpp2_bm_pool_update_priv_fc() without checking if a critical pointer (priv->cm3_base) is NULL.

If the CM3 SRAM resource is missing from the device tree, priv->cm3_base remains NULL and priv->global_tx_fc is false. When mvpp2_bm_switch_buffers() is triggered, for example by changing the MTU across the jumbo frame threshold, the kernel dereferences this NULL pointer, causing a crash.

The vulnerability is due to missing a guard check (priv->global_tx_fc) before accessing hardware registers, which other parts of the driver correctly implement. The fix adds this missing guard to prevent the NULL pointer dereference.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference when certain network buffer operations occur, such as changing the MTU size across the jumbo frame threshold.

A kernel crash leads to a denial of service (DoS) condition, making the affected system unstable or unavailable until it is rebooted.

Mitigation Strategies

The vulnerability is caused by the mvpp2_bm_switch_buffers() function unconditionally calling mvpp2_bm_pool_update_priv_fc() without checking if priv->global_tx_fc is true, which can lead to a NULL pointer dereference and kernel crash.

To mitigate this vulnerability, ensure that the missing guard check for priv->global_tx_fc is added to the disable and re-enable calls in mvpp2_bm_switch_buffers(), consistent with the rest of the driver.

This typically involves updating the Linux kernel to a version where this fix is applied or applying the patch that adds the missing guard.

Detection Guidance

This vulnerability causes a kernel crash due to a NULL pointer dereference when certain operations trigger mvpp2_bm_switch_buffers(), such as changing the MTU across the jumbo frame threshold.

Detection can involve monitoring for kernel crash logs or oops messages indicating a NULL pointer dereference related to mvpp2_cm3_read or mvpp2_bm_switch_buffers.

Specifically, look for kernel messages containing lines like "Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000" and call traces referencing mvpp2_cm3_read, mvpp2_bm_pool_update_priv_fc, or mvpp2_bm_switch_buffers.

Since no specific detection commands or tools are provided in the context or resources, general Linux commands to check kernel logs can be used, such as:

  • dmesg | grep -i 'mvpp2_cm3_read'
  • journalctl -k | grep -i 'NULL pointer dereference'
  • grep -i 'mvpp2_bm_switch_buffers' /var/log/kern.log

Additionally, monitoring for MTU changes on affected network interfaces might help identify triggering events.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart