CVE-2026-23035
- Source
- https://cve.org/CVERecord?id=CVE-2026-23035
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23035.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23035
- Downstream
- Published
- 2026-01-31T11:42:29.960Z
- Modified
- 2026-02-10T08:33:20.218407Z
- Summary
- net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Pass netdev to mlx5edestroynetdev instead of priv
mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
Pass netdev to mlx5edestroynetdev() to guarantee it will work on a valid netdev.
On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5core 0012:03:00.1: mlx5enetdevinitprofile:6214:(pid 37199): mlx5eprivinit failed, err=-12 mlx5core 0012:03:00.1 gpu3rdma1: mlx5enetdevchangeprofile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5core 0012:03:00.1: mlx5enetdevinitprofile:6214:(pid 37199): mlx5eprivinit failed, err=-12 mlx5core 0012:03:00.1 gpu3rdma1: mlx5enetdevchange_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5edcbnldscpapp+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5eremove+0x57/0x110 devicereleasedriverinternal+0x19c/0x200 busremovedevice+0xc6/0x130 devicedel+0x160/0x3d0 ? devlparamdriverinitvalueget+0x2d/0x90 mlx5detachdevice+0x89/0xe0 mlx5unloadonedevllocked+0x3a/0x70 mlx5devlinkreloaddown+0xc8/0x220 devlinkreload+0x7d/0x260 devlinknlreloaddoit+0x45b/0x5a0 genlfamilyrcvmsg_doit+0xe8/0x140
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23035.json", "cna_assigner": "Linux" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42
- https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da
- https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23035.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-23035
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedc4d7eb57687f358cd498ea3624519236af8db97eFixeda7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02Fixed66a25f6b7c0bfd84e6d27b536f5d24116dbd52daFixed4ef8512e1427111f7ba92b4a847d181ff0aeec42