CVE-2026-23353

{"id": "CVE-2026-23353", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-03-25T11:16:33.817", "references": [{"url": "https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nice: corrige un fallo en la prueba de bucle invertido fuera de l\u00ednea de ethtool\n\nDesde la conversi\u00f3n de ice a 'page pool', la prueba de bucle invertido de ethtool falla:\n\n ERROR: desreferencia de puntero NULL del kernel, direcci\u00f3n: 000000000000000c\n #PF: acceso de escritura de supervisor en modo kernel\n #PF: c\u00f3digo de error(0x0002) - p\u00e1gina no presente\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comando: ethtool Kdump: cargado No contaminado 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Nombre del hardware: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n C\u00f3digo: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 &lt;89&gt; 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Traza de Llamada:\n \n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFalla porque no hemos inicializado 'libeth' para el anillo rx.\n\nSe soluciona tratando las VSIs ICE_VSI_LB un poco m\u00e1s como VSIs PF normales y permiti\u00e9ndoles tener un 'q_vector'. Es solo un 'dummy', porque la prueba de bucle invertido no usa interrupciones, pero contiene una estructura 'napi' que puede pasarse a 'libeth_rx_fq_create()' llamada desde 'ice_vsi_cfg_rxq()' -&gt; 'ice_rxq_pp_create()'."}], "lastModified": "2026-04-24T17:45:52.567", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8ACF56ED-6FE0-41DE-BECE-41134CC7BD44", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "35C8A871-4971-433E-A046-FC9F7B7D190A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}