CVE-2026-23104

In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init().

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60	Patch
https://git.kernel.org/stable/c/8ac7dd0f813fb65ff2fd9543900c3009f8e84110
https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

History

25 Mar 2026, 11:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/8ac7dd0f813fb65ff2fd9543900c3009f8e84110 -

19 Mar 2026, 19:27

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
First Time		Linux Linux linux Kernel
CWE		NVD-CWE-noinfo
References	~~() https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60 -~~	() https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60 - Patch
References	~~() https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586 -~~	() https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586 - Patch
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ice: corrige el rastreo de llamadas de recarga de devlink El commit 4da71a77fc3b ('ice: read internal temperature sensor') introdujo la lectura del sensor de temperatura interno a través de HWMON. ice_hwmon_init() se añadió a ice_init_feature() y ice_hwmon_exit() se añadió a ice_remove(). Como resultado, si se utiliza la recarga de devlink para reinicializar el dispositivo y luego se elimina el controlador, puede ocurrir un rastreo de llamadas. ERROR: no se puede manejar el fallo de página para la dirección: ffffffffc0fd4b5d Rastreo de Llamadas: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 El rastreo de llamadas se repite aproximadamente cada 10 minutos cuando las herramientas de monitoreo del sistema (p. ej., sadc) intentan leer los atributos huérfanos de hwmon sysfs que referencian memoria de módulo liberada. La secuencia es: 1. Carga del controlador, ice_hwmon_init() es llamado desde ice_init_feature() 2. Recarga de Devlink hacia abajo, el flujo no llama a ice_remove() 3. Recarga de Devlink hacia arriba, ice_hwmon_init() es llamado desde ice_init_feature() resultando en una segunda instancia 4. Descarga del controlador, ice_hwmon_exit() llamado desde ice_remove() dejando la primera instancia de hwmon huérfana con un puntero colgante Solucione esto moviendo ice_hwmon_exit() de ice_remove() a ice_deinit_features() para asegurar una simetría de limpieza adecuada con ice_hwmon_init().

04 Feb 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 17:16

Updated : 2026-03-25 11:16

NVD link : CVE-2026-23104

Mitre link : CVE-2026-23104

CVE.ORG link : CVE-2026-23104

JSON object : View

Products Affected

linux

linux_kernel

CWE

NVD-CWE-noinfo

5.5 /10