FKIE_CVE-2026-22993

Vulnerability from fkie_nvd - Published: 2026-01-23 16:15 - Updated: 2026-01-26 15:03
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don't touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) - not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip>
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don\u0027t touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27-\u003e20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\u003csnip\u003e\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793]  \u003cTASK\u003e\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\n[82375.558827]  rss_prepare_data+0x3a/0x50\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937]  netlink_rcv_skb+0x58/0x100\n[82375.558957]  genl_rcv+0x2c/0x50\n[82375.558971]  netlink_unicast+0x289/0x3e0\n[82375.558988]  netlink_sendmsg+0x215/0x440\n[82375.559005]  __sys_sendto+0x234/0x240\n[82375.559555]  __x64_sys_sendto+0x28/0x30\n[82375.560068]  x64_sys_call+0x1909/0x1da0\n[82375.560576]  do_syscall_64+0x7a/0xfa0\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\u003csnip\u003e"
    }
  ],
  "id": "CVE-2026-22993",
  "lastModified": "2026-01-26T15:03:33.357",
  "metrics": {},
  "published": "2026-01-23T16:15:55.393",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.