CVE-2026-23035— net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
Affected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c4d7eb57687f358cd498ea3624519236af8db97e< a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02 | affected |
c4d7eb57687f358cd498ea3624519236af8db97e< 66a25f6b7c0bfd84e6d27b536f5d24116dbd52da | affected | ||
c4d7eb57687f358cd498ea3624519236af8db97e< 4ef8512e1427111f7ba92b4a847d181ff0aeec42 | affected | ||
5.12 | affected | ||
< 5.12 | unaffected | ||
6.12.67≤ 6.12.* | unaffected | ||
6.18.7≤ 6.18.* | unaffected | ||
6.19≤ * | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23035
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于使用可能被清零的priv结构,可能导致内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23035
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23035
请登录查看更多情报信息。
Same Patch Batch · Linux · 2026-01-31 · 37 CVEs total
| CVE-2026-23018 | btrfs: release path before initializing extent tree in btrfs_read_locked_inode() | |
| CVE-2025-71186 | dmaengine: stm32: dmamux: fix device leak on route allocation | |
| CVE-2025-71185 | dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation | |
| CVE-2026-23024 | idpf: fix memory leak of flow steer list on rmmod | |
| CVE-2026-23023 | idpf: fix memory leak in idpf_vport_rel() | |
| CVE-2026-23022 | idpf: fix memory leak in idpf_vc_core_deinit() | |
| CVE-2026-23021 | net: usb: pegasus: fix memory leak in update_eth_regs_async() | |
| CVE-2026-23020 | net: 3com: 3c59x: fix possible null dereference in vortex_probe1() | |
| CVE-2026-23019 | net: marvell: prestera: fix NULL dereference on devlink_alloc() failure | |
| CVE-2025-71187 | dmaengine: sh: rz-dmac: fix device leak on probe failure | |
| CVE-2026-23017 | idpf: fix error handling in the init_task on load | |
| CVE-2026-23016 | inet: frags: drop fraglist conntrack references | |
| CVE-2026-23015 | gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths | |
| CVE-2025-71184 | btrfs: fix NULL dereference on root when tracing inode eviction | |
| CVE-2025-71183 | btrfs: always detect conflicting inodes when logging inode refs | |
| CVE-2025-71182 | can: j1939: make j1939_session_activate() fail if device is no longer registered | |
| CVE-2025-71181 | rust_binder: remove spin_lock() in rust_shrink_free_page() | |
| CVE-2025-71180 | counter: interrupt-cnt: Drop IRQF_NO_THREAD flag | |
| CVE-2026-23029 | LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() | |
| CVE-2026-23039 | drm/gud: fix NULL fb and crtc dereferences on USB disconnect |
Showing top 20 of 37 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43492
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_ - CVE-2026-43493
crypto: pcrypt - Fix handling of MAY_BACKLOG requests - CVE-2026-43491
net: qrtr: ns: Limit the maximum server registration per nod - CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length
Same vendor: Linux
- CVE-2026-43492
lib/crypto: mpi: Fix integer underflow in mpi_read_raw_from_ - CVE-2026-43493
crypto: pcrypt - Fix handling of MAY_BACKLOG requests - CVE-2026-43491
net: qrtr: ns: Limit the maximum server registration per nod - CVE-2026-46333
ptrace: slightly saner 'get_dumpable()' logic - CVE-2026-43490
ksmbd: validate inherited ACE SID length
V. Comments for CVE-2026-23035
No comments yet