CVE-2026-22993 (GCVE-0-2026-22993)

Vulnerability from cvelistv5 – Published: 2026-01-23 15:24 – Updated: 2026-01-23 15:24
VLAI?
Title
idpf: Fix RSS LUT NULL ptr issue after soft reset
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip>
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb , < ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f (git)
Affected: 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb , < ebecca5b093895da801b3eba1a55b4ec4027d196 (git)
Create a notification for this product.
    Linux Linux Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.18.6 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_lib.c",
            "drivers/net/ethernet/intel/idpf/idpf_txrx.c",
            "drivers/net/ethernet/intel/idpf/idpf_txrx.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f",
              "status": "affected",
              "version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb",
              "versionType": "git"
            },
            {
              "lessThan": "ebecca5b093895da801b3eba1a55b4ec4027d196",
              "status": "affected",
              "version": "02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_lib.c",
            "drivers/net/ethernet/intel/idpf/idpf_txrx.c",
            "drivers/net/ethernet/intel/idpf/idpf_txrx.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don\u0027t touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27-\u003e20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003csnip\u003e\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793]  \u003cTASK\u003e\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\n[82375.558827]  rss_prepare_data+0x3a/0x50\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937]  netlink_rcv_skb+0x58/0x100\n[82375.558957]  genl_rcv+0x2c/0x50\n[82375.558971]  netlink_unicast+0x289/0x3e0\n[82375.558988]  netlink_sendmsg+0x215/0x440\n[82375.559005]  __sys_sendto+0x234/0x240\n[82375.559555]  __x64_sys_sendto+0x28/0x30\n[82375.560068]  x64_sys_call+0x1909/0x1da0\n[82375.560576]  do_syscall_64+0x7a/0xfa0\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\u003csnip\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-23T15:24:13.790Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196"
        }
      ],
      "title": "idpf: Fix RSS LUT NULL ptr issue after soft reset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-22993",
    "datePublished": "2026-01-23T15:24:13.790Z",
    "dateReserved": "2026-01-13T15:37:45.937Z",
    "dateUpdated": "2026-01-23T15:24:13.790Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22993\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-23T16:15:55.393\",\"lastModified\":\"2026-01-26T15:03:33.357\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: Fix RSS LUT NULL ptr issue after soft reset\\n\\nDuring soft reset, the RSS LUT is freed and not restored unless the\\ninterface is up. If an ethtool command that accesses the rss lut is\\nattempted immediately after reset, it will result in NULL ptr\\ndereference. Also, there is no need to reset the rss lut if the soft reset\\ndoes not involve queue count change.\\n\\nAfter soft reset, set the RSS LUT to default values based on the updated\\nqueue count only if the reset was a result of a queue count change and\\nthe LUT was not configured by the user. In all other cases, don\u0027t touch\\nthe LUT.\\n\\nSteps to reproduce:\\n\\n** Bring the interface down (if up)\\nifconfig eth1 down\\n\\n** update the queue count (eg., 27-\u003e20)\\nethtool -L eth1 combined 20\\n\\n** display the RSS LUT\\nethtool -x eth1\\n\\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\\n[82375.558373] #PF: supervisor read access in kernel mode\\n[82375.558391] #PF: error_code(0x0000) - not-present page\\n[82375.558408] PGD 0 P4D 0\\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\\n\u003csnip\u003e\\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\\n[82375.558786] Call Trace:\\n[82375.558793]  \u003cTASK\u003e\\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\\n[82375.558827]  rss_prepare_data+0x3a/0x50\\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\\n[82375.558937]  netlink_rcv_skb+0x58/0x100\\n[82375.558957]  genl_rcv+0x2c/0x50\\n[82375.558971]  netlink_unicast+0x289/0x3e0\\n[82375.558988]  netlink_sendmsg+0x215/0x440\\n[82375.559005]  __sys_sendto+0x234/0x240\\n[82375.559555]  __x64_sys_sendto+0x28/0x30\\n[82375.560068]  x64_sys_call+0x1909/0x1da0\\n[82375.560576]  do_syscall_64+0x7a/0xfa0\\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\\n\u003csnip\u003e\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.