VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 4, 2026· Updated Apr 15, 2026

CVE-2026-23041

CVE-2026-23041

Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup

When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister().

Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration.

bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference:

bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)

Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")

Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

bnxt_en driver crashes on NULL pointer during failure cleanup because ptp_clear uses freed DMA pool before ptp_clock_unregister() accesses the driver callback.

Root

Cause

In the Linux kernel's bnxt_en driver, the error path of bnxt_init_one() fails (e.g., bnxt_init_int_mode returns -ENODEV), the cleanup path calls bnxt_free_hwrm_resources() first, which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL [1]. Then bnxt_ptp_clear() is invoked, which calls ptp_clock_unregister(). Since commit a60fc3294a37, ptp_clock_unregister() triggers ptp_disable_all_events(), which invokes the driver's .enable() callback (bnxt_ptp_enable()`) to disable PTP events before completing unregistration.

Exploitation

Mechanism

The bnxt_ptp_enable() callback attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, which is already NULL due to the prior cleanup. This results in a NULL pointer dereference, as shown in the KASAN trace: the crash occurs at __hwrm_req_init (line 72 of bnxt_hwrm.c) [1]. The attack surface requires no special privileges — the vulnerability is triggered during normal driver initialization failure, so any user or process that triggers driver loading on a system with a bnxt NIC could potentially encounter the crash, leading to denial of service.

Impact

An attacker with local access or ability to influence driver initialization (e.g., through device hotplug) could cause a kernel NULL pointer dereference, resulting in a system crash or denial of service. The pointer dereference occurs before any network operations start, but after DMA pool destruction, making it a clean null-ptr-deref that panics the kernel.

Mitigation

The fix is to reorder the cleanup: call bnxt_ptp_clear() (which unregisters the PTP clock) before freeing HWRM resources. This ensures that the PTP callback chain is dismantled while the DMA pool is still valid [1]. The patch has been applied to the stable kernel tree as of commit 0174d5466cae. Systems running kernels prior to this fix, especially those with Broadcom bnxt_en NICs, should apply the update to avoid potential crashes on driver initialization failures.

References
  1. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.