CVE-2023-54156
Description
In the Linux kernel, the following vulnerability has been resolved:
sfc: fix crash when reading stats while NIC is resetting
efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_update_stats_pf efx_net_stats dev_get_stats dev_seq_printf_stats Skipping the read is safe, we will simply give out stale stats. To ensure that the free in efx_ef10_fini_nic() does not race against efx_ef10_update_stats_pf(), which could cause a TOCTTOU bug, take the efx->stats_lock in fini_nic (it is already held across update_stats).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel sfc driver crashes on NULL dereference when reading stats during NIC reset; fix skips stats fetch and locks properly.
Vulnerability
In the Linux kernel's sfc (Solarflare) network driver, a NULL pointer dereference can occur when efx_net_stats() is called while the NIC is being reset. During a reset (e.g., during an ethtool selftest), nic_data->mc_stats is freed and set to NULL. If statistics are requested at this time, the driver attempts to update hardware stats via efx_nic_update_stats(), leading to a crash [1][2].
Exploitation
The vulnerability is triggered when a local attacker or system process triggers a NIC reset (e.g., via ethtool selftest) and simultaneously reads network statistics (e.g., via ip link or /proc/net/dev). No special privileges are required beyond the ability to trigger a reset and read stats, which is typically available to unprivileged users on many systems. The race condition is a classic Time-of-Check Time-of-Use (TOCTOU) bug, where the stats pointer becomes NULL between validation and use [2].
Impact
Successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). An attacker could repeatedly trigger this to cause persistent system unavailability. No code execution is expected, but the crash can disrupt operations. The vulnerability affects all Linux kernel versions with the sfc driver prior to the fix [1][2].
Mitigation
The fix, included in stable kernel updates, adds a check to skip stats update when mc_stats is NULL and ensures stats_lock is held during efx_ef10_fini_nic() to prevent the race [1][2]. Users should apply the latest kernel updates from their distribution. No workaround other than avoiding simultaneous reset and stats reads is available.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
6cb1aa7cc562c91f4ef204e73446f55679343470152d76b3eaba32b4c5811d1b355438b83Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- git.kernel.org/stable/c/446f5567934331923d0aec4ce045e4ecb0174aaenvd
- git.kernel.org/stable/c/470152d76b3ed107d172ea46acc4bfa941f20b4bnvd
- git.kernel.org/stable/c/91f4ef204e731565afdc6c2a7fcf509a3fd6fd67nvd
- git.kernel.org/stable/c/aba32b4c58112960c0c708703ca6b44dc8944082nvd
- git.kernel.org/stable/c/cb1aa7cc562cab6a87ea33574c8c65f2d2fd7aebnvd
- git.kernel.org/stable/c/d1b355438b8325a486f087e506d412c4e852f37bnvd
News mentions
0No linked articles in our index yet.