CVE-2026-23017 (GCVE-0-2026-23017)

Vulnerability from cvelistv5 – Published: 2026-01-31 11:39 – Updated: 2026-01-31 11:39
VLAI?
Title
idpf: fix error handling in the init_task on load
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 ... [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] ... [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < a514c374edcd33581cdcccf8faa7cc606a600319 (git)
Affected: 0fe45467a1041ea3657a7fa3a791c84c104fbd34 , < 4d792219fe6f891b5b557a607ac8a0a14eda6e38 (git)
Create a notification for this product.
    Linux Linux Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.18.6 , ≤ 6.18.* (semver)
Unaffected: 6.19-rc5 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a514c374edcd33581cdcccf8faa7cc606a600319",
              "status": "affected",
              "version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
              "versionType": "git"
            },
            {
              "lessThan": "4d792219fe6f891b5b557a607ac8a0a14eda6e38",
              "status": "affected",
              "version": "0fe45467a1041ea3657a7fa3a791c84c104fbd34",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/idpf/idpf_lib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.19-rc5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.6",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19-rc5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix error handling in the init_task on load\n\nIf the init_task fails during a driver load, we end up without vports and\nnetdevs, effectively failing the entire process. In that state a\nsubsequent reset will result in a crash as the service task attempts to\naccess uninitialized resources. Following trace is from an error in the\ninit_task where the CREATE_VPORT (op 501) is rejected by the FW:\n\n[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated\n[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)\n[40958.148190] idpf 0000:83:00.0: HW reset detected\n[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8\n...\n[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]\n[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]\n...\n[40958.177932] Call Trace:\n[40958.178491]  \u003cTASK\u003e\n[40958.179040]  process_one_work+0x226/0x6d0\n[40958.179609]  worker_thread+0x19e/0x340\n[40958.180158]  ? __pfx_worker_thread+0x10/0x10\n[40958.180702]  kthread+0x10f/0x250\n[40958.181238]  ? __pfx_kthread+0x10/0x10\n[40958.181774]  ret_from_fork+0x251/0x2b0\n[40958.182307]  ? __pfx_kthread+0x10/0x10\n[40958.182834]  ret_from_fork_asm+0x1a/0x30\n[40958.183370]  \u003c/TASK\u003e\n\nFix the error handling in the init_task to make sure the service and\nmailbox tasks are disabled if the error happens during load. These are\nstarted in idpf_vc_core_init(), which spawns the init_task and has no way\nof knowing if it failed. If the error happens on reset, following\nsuccessful driver load, the tasks can still run, as that will allow the\nnetdevs to attempt recovery through another reset. Stop the PTP callbacks\neither way as those will be restarted by the call to idpf_vc_core_init()\nduring a successful reset."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-31T11:39:01.204Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38"
        }
      ],
      "title": "idpf: fix error handling in the init_task on load",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-23017",
    "datePublished": "2026-01-31T11:39:01.204Z",
    "dateReserved": "2026-01-13T15:37:45.940Z",
    "dateUpdated": "2026-01-31T11:39:01.204Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-23017\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-01-31T12:16:05.000\",\"lastModified\":\"2026-01-31T12:16:05.000\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nidpf: fix error handling in the init_task on load\\n\\nIf the init_task fails during a driver load, we end up without vports and\\nnetdevs, effectively failing the entire process. In that state a\\nsubsequent reset will result in a crash as the service task attempts to\\naccess uninitialized resources. Following trace is from an error in the\\ninit_task where the CREATE_VPORT (op 501) is rejected by the FW:\\n\\n[40922.763136] idpf 0000:83:00.0: Device HW Reset initiated\\n[40924.449797] idpf 0000:83:00.0: Transaction failed (op 501)\\n[40958.148190] idpf 0000:83:00.0: HW reset detected\\n[40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8\\n...\\n[40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf]\\n[40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf]\\n...\\n[40958.177932] Call Trace:\\n[40958.178491]  \u003cTASK\u003e\\n[40958.179040]  process_one_work+0x226/0x6d0\\n[40958.179609]  worker_thread+0x19e/0x340\\n[40958.180158]  ? __pfx_worker_thread+0x10/0x10\\n[40958.180702]  kthread+0x10f/0x250\\n[40958.181238]  ? __pfx_kthread+0x10/0x10\\n[40958.181774]  ret_from_fork+0x251/0x2b0\\n[40958.182307]  ? __pfx_kthread+0x10/0x10\\n[40958.182834]  ret_from_fork_asm+0x1a/0x30\\n[40958.183370]  \u003c/TASK\u003e\\n\\nFix the error handling in the init_task to make sure the service and\\nmailbox tasks are disabled if the error happens during load. These are\\nstarted in idpf_vc_core_init(), which spawns the init_task and has no way\\nof knowing if it failed. If the error happens on reset, following\\nsuccessful driver load, the tasks can still run, as that will allow the\\nnetdevs to attempt recovery through another reset. Stop the PTP callbacks\\neither way as those will be restarted by the call to idpf_vc_core_init()\\nduring a successful reset.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.