CVE-2026-43219

Vulnerability

In the Linux kernel's cpsw_new Ethernet driver, a flaw exists in the error handling path error handling during port registration. When register_netdev() fails for the first MAC in cpsw_register_ports(), the driver sets cpsw->slaves[0].ndev to NULL but leaves cpsw->slaves[1].ndev unchanged. This inconsistency can later cause cpsw_unregister_ports() to attempt to unregister the second MAC's network device, even if it was never successfully registered [1][2][3].

Exploitation

An attacker would need local access to trigger the error condition that causes register_netdev() to fail for the first port. This could occur due to resource exhaustion or hardware misconfiguration. No special privileges beyond the ability to load of the affected driver are required, but the attack surface is limited to systems using the cpsw_new driver with dual Ethernet ports.

Impact

If triggered, the kernel would attempt to call unregister_netdev() on a network device that was never registered, leading to a use-after-free or other memory corruption. This could result in a system crash (denial of service) or potentially allow an attacker to escalate privileges if the memory corruption is exploitable.

Mitigation

The fix adds a check for ndev->reg_state before calling unregister_netdev(), preventing the erroneous unregistration. The patch also removes the now-unnecessary NULL assignment for cpsw->slaves[i].ndev. The fix has been applied to the Linux kernel stable branches [1][2][3]. Users should update to the latest kernel version containing this commit.