CVE-2026-46142
Description
In the Linux kernel, the following vulnerability has been resolved:
net: libwx: fix VF illegal register access
Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang.
When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's net/libwx driver, a VF reading the PF-restricted register WX_CFG_PORT_ST causes an illegal access and system hang; fixed by using PCI_FUNC for VF bus function ID.
Vulnerability
The vulnerability exists in the Linux kernel's net/libwx driver. The register WX_CFG_PORT_ST is restricted to the Physical Function (PF). When a Virtual Function (VF) is initialized, the driver attempts to read this register, triggering an illegal register access that leads to a system hang. Affected versions are those prior to the fix commit [1].
Exploitation
An attacker with the ability to initialize a VF on a system using the libwx driver can trigger this vulnerability. No special privileges beyond VF creation are required. The sequence involves the VF initialization code path that reads the PF-restricted register.
Impact
Successful exploitation results in a system hang (denial of service). The vulnerability does not provide any information disclosure or privilege escalation; it only causes a crash or hang of the host system.
Mitigation
The fix is included in the Linux kernel stable commit [1]. Users should update to a kernel version containing this commit. No workaround is available if the driver is in use. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
10d3bd80404979net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 7feb991a95924f..e6320da3e5947f 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1667,8 +1667,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) { wx->subsystem_vendor_id = pdev->subsystem_vendor; -- cgit 1.3-korg
694de316f607net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index d3772d01e00bc8..2451f6b20b1115 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2480,8 +2480,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
f6e656f7cea1net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 19b36d308d292b..319b3f3b2e7dd6 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1943,8 +1943,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) { wx->subsystem_vendor_id = pdev->subsystem_vendor; -- cgit 1.3-korg
33c5bb50b9c4net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index b37d6cfbfbe943..be59a102289042 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2427,8 +2427,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
68a007a701bcnet: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index bee9e245e7927b..5315d5c92d0b21 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2480,8 +2480,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
68a007a701bcnet: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index bee9e245e7927b..5315d5c92d0b21 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2480,8 +2480,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
d3bd80404979net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 7feb991a95924f..e6320da3e5947f 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1667,8 +1667,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) { wx->subsystem_vendor_id = pdev->subsystem_vendor; -- cgit 1.3-korg
f6e656f7cea1net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index 19b36d308d292b..319b3f3b2e7dd6 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -1943,8 +1943,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN) { wx->subsystem_vendor_id = pdev->subsystem_vendor; -- cgit 1.3-korg
694de316f607net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index d3772d01e00bc8..2451f6b20b1115 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2480,8 +2480,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
33c5bb50b9c4net: libwx: fix VF illegal register access
1 file changed · +5 −3
drivers/net/ethernet/wangxun/libwx/wx_hw.c+5 −3 modifieddiff --git a/drivers/net/ethernet/wangxun/libwx/wx_hw.c b/drivers/net/ethernet/wangxun/libwx/wx_hw.c index b37d6cfbfbe943..be59a102289042 100644 --- a/drivers/net/ethernet/wangxun/libwx/wx_hw.c +++ b/drivers/net/ethernet/wangxun/libwx/wx_hw.c @@ -2427,8 +2427,11 @@ int wx_sw_init(struct wx *wx) wx->oem_svid = pdev->subsystem_vendor; wx->oem_ssid = pdev->subsystem_device; wx->bus.device = PCI_SLOT(pdev->devfn); - wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, - rd32(wx, WX_CFG_PORT_ST)); + if (pdev->is_virtfn) + wx->bus.func = PCI_FUNC(pdev->devfn); + else + wx->bus.func = FIELD_GET(WX_CFG_PORT_ST_LANID, + rd32(wx, WX_CFG_PORT_ST)); if (wx->oem_svid == PCI_VENDOR_ID_WANGXUN || pdev->is_virtfn) { -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing VF/PF privilege check causes a VF to read a PF-restricted register, triggering an illegal register access and system hang."
Attack vector
An attacker who can trigger VF initialization on a Wangxun network adapter will cause the kernel to attempt reading `WX_CFG_PORT_ST`, a register that is restricted to the Physical Function (PF) [patch_id=2898341]. Because a VF does not have permission to access this PF-only register, the hardware raises an illegal register access fault, which leads to a system hang. No special network payload is required — the bug is triggered during normal VF driver probe/initialization.
Affected code
The vulnerability is in the `wx_sw_init` function in `drivers/net/ethernet/wangxun/libwx/wx_hw.c` [patch_id=2898341]. The function unconditionally reads the PF-restricted register `WX_CFG_PORT_ST` via `rd32()` to obtain the bus function ID, even when the device is a Virtual Function (VF).
What the fix does
The patch adds a conditional check on `pdev->is_virtfn` before reading `WX_CFG_PORT_ST` [patch_id=2898341]. When the device is a VF, the bus function ID is obtained directly from `PCI_FUNC(pdev->devfn)` instead of via the PF-restricted register. This avoids the illegal register access entirely, preventing the system hang. For PF devices, the original `rd32()` path is preserved.
Preconditions
- configThe system must have a Wangxun network adapter that supports SR-IOV with VFs enabled.
- inputA VF must be initialized (driver probe), which triggers wx_sw_init().
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/33c5bb50b9c40e8451e6aec4487a31d794b98d92nvd
- git.kernel.org/stable/c/68a007a701bc06fa426507c551ef12514f2e721dnvd
- git.kernel.org/stable/c/694de316f607fe2473d52ca0707e3918e72c1562nvd
- git.kernel.org/stable/c/d3bd8040497968f6f5470018724ef7b0df92f707nvd
- git.kernel.org/stable/c/f6e656f7cea16b638675a2ab7d7e4cf2516c5eb0nvd
News mentions
0No linked articles in our index yet.