CVE-2026-23035
Description
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails.
Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev.
On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there.
This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure.
$ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12
$ devlink dev reload pci/0000:00:03.0 ==> oops
BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace:
mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in the Linux kernel's mlx5e driver can be triggered when a switchdev mode change fails, leading to a system crash.
Vulnerability
Overview
CVE-2026-23035 is a vulnerability in the Linux kernel's mlx5e network driver. The root cause is that the mlx5e_priv structure can be zeroed out (memset(0)) if profile attaching fails, making it an unstable reference. The function mlx5e_destroy_netdev() was using this unstable priv pointer, leading to a NULL pointer dereference when attempting to access fields of the freed structure. The fix passes a valid netdev pointer instead of priv to mlx5e_destroy_netdev(), and adds a check for priv->profile validity in mlx5e_remove before cleaning up resources cleanup [1].
Exploitation
Scenario
The vulnerability is triggered when a user attempts to change the eswitch mode to switchdev via devlink dev eswitch set pci/... mode switchdev. If this operation fails (e.g., due to memory allocation failure, as shown in the dmesg log with -EINTR and -12 errors), the driver's internal state becomes corrupted. Subsequently, a devlink dev reload command on the same device will cause the kernel to dereference a NULL pointer, leading to an oops. The attack vector requires local access to the system with privileges to run devlink commands, typically root or CAP_NET_ADMIN [1].
Impact
A successful exploitation results in a kernel NULL pointer dereference, causing a system crash (denial of service). The crash trace shows the dereference occurs in mlx5e_dcbnl_dnl_dscp_app+0x23/0x100, with the instruction pointer at offset 0x370 from a NULL base. This can be mitigated by applying the kernel patch that passes netdev instead of priv and adds the profile validity check. The fix is included in the Linux kernel stable tree as commit 4ef8512e1427111f7ba92b4a847d181ff0aeec42 [1]. Users should update their kernels to a version containing this commit. No workaround is available other than avoiding the sequence of failed switchdev mode change followed by reload.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.