CVE-2026-45977
Analyzed Analyzed - Analysis Complete
Race Condition in Linux Kernel fbnic Driver

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable. Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45977
EUVD
EUVD-2026-32261
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.17 (inc) to 6.18.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's fbnic driver and involves a race condition between the fw_log write operations and the teardown process. Specifically, the fw_log data structure can be accessed and written to by an interrupt handler while it is simultaneously being freed during device removal, leading to a potential use-after-free or dereferencing of a null pointer.

The problem arises because fw_log is freed before the interrupt request (IRQ) and mailbox (MBX) teardown is complete. This can cause the system to attempt to write to or read from memory that has already been freed or set to NULL, resulting in undefined behavior or crashes.

The fix involves adjusting the order of initialization and teardown to ensure that fw_log is allocated before the mailbox is enabled and not freed until after the mailbox has been disabled, preventing the race condition.

Impact Analysis

This vulnerability can lead to system instability or crashes due to the race condition causing use-after-free errors or null pointer dereferences in the Linux kernel's fbnic driver.

Such instability could potentially result in denial of service (DoS) conditions where the affected system or device becomes unresponsive or crashes unexpectedly.

Mitigation Strategies

The vulnerability involves a race condition in the fbnic driver in the Linux kernel related to the fw_log data structure being accessed after it is freed during teardown.

Immediate mitigation steps include updating the Linux kernel to a version where this issue is fixed, as the fix involves adjusting the synchronization order to ensure fw_log is initialized before mailbox setup and only cleared after mailbox teardown.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart