CVE-2026-22993

{"id": "CVE-2026-22993", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-01-23T16:15:55.393", "references": [{"url": "https://git.kernel.org/stable/c/a09380354d2f14759b9dd45de1bc2f6bf49e651b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n<snip>\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793] <TASK>\n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<snip>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nidpf: Soluciona el problema de puntero NULL de la RSS LUT despu\u00e9s de un reinicio suave\n\nDurante el reinicio suave, la RSS LUT se libera y no se restaura a menos que la interfaz est\u00e9 activa. Si se intenta un comando ethtool que accede a la rss lut inmediatamente despu\u00e9s del reinicio, resultar\u00e1 en una desreferencia de puntero NULL. Adem\u00e1s, no es necesario reiniciar la rss lut si el reinicio suave no implica un cambio en el recuento de colas.\n\nDespu\u00e9s del reinicio suave, establece la RSS LUT a valores predeterminados bas\u00e1ndose en el recuento de colas actualizado solo si el reinicio fue resultado de un cambio en el recuento de colas y la LUT no fue configurada por el usuario. En todos los dem\u00e1s casos, no modifiques la LUT.\n\nPasos para reproducir:\n\n Desactiva la interfaz (si est\u00e1 activa)\nifconfig eth1 down\n\n Actualiza el recuento de colas (ej., 27-&gt;20)\nethtool -L eth1 combined 20\n\n** Muestra la RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000000\n[82375.558373] #PF: acceso de lectura de supervisor en modo kernel\n[82375.558391] #PF: error_code(0x0000) - p\u00e1gina no presente\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Traza de llamada:\n[82375.558793] \n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n"}], "lastModified": "2026-04-02T12:16:19.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C006C634-C236-4B4B-B7FA-AF44C3098505", "versionEndExcluding": "6.18.6", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}