CVE-2026-22985

EUVD-2026-4285

23.01.2026, 16:15

In the Linux kernel, the following vulnerability has been resolved:

idpf: Fix RSS LUT NULL pointer crash on early ethtool operations

The RSS LUT is not initialized until the interface comes up, causing
the following NULL pointer crash when ethtool operations like rxhash on/off
are performed before the interface is brought up for the first time.

Move RSS LUT initialization from ndo_open to vport creation to ensure LUT
is always available. This enables RSS configuration via ethtool before
bringing the interface up. Simplify LUT management by maintaining all
changes in the driver's soft copy and programming zeros to the indirection
table when rxhash is disabled. Defer HW programming until the interface
comes up if it is down during rxhash and LUT configuration changes.

Steps to reproduce:
** Load idpf driver; interfaces will be created
	modprobe idpf
** Before bringing the interfaces up, turn rxhash off
	ethtool -K eth2 rxhash off

[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000
[89408.371908] #PF: supervisor read access in kernel mode
[89408.371924] #PF: error_code(0x0000) - not-present page
[89408.371940] PGD 0 P4D 0
[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI
<snip>
[89408.372052] RIP: 0010:memcpy_orig+0x16/0x130
[89408.372310] Call Trace:
[89408.372317]  <TASK>
[89408.372326]  ? idpf_set_features+0xfc/0x180 [idpf]
[89408.372363]  __netdev_update_features+0x295/0xde0
[89408.372384]  ethnl_set_features+0x15e/0x460
[89408.372406]  genl_family_rcv_msg_doit+0x11f/0x180
[89408.372429]  genl_rcv_msg+0x1ad/0x2b0
[89408.372446]  ? __pfx_ethnl_set_features+0x10/0x10
[89408.372465]  ? __pfx_genl_rcv_msg+0x10/0x10
[89408.372482]  netlink_rcv_skb+0x58/0x100
[89408.372502]  genl_rcv+0x2c/0x50
[89408.372516]  netlink_unicast+0x289/0x3e0
[89408.372533]  netlink_sendmsg+0x215/0x440
[89408.372551]  __sys_sendto+0x234/0x240
[89408.372571]  __x64_sys_sendto+0x28/0x30
[89408.372585]  x64_sys_call+0x1909/0x1da0
[89408.372604]  do_syscall_64+0x7a/0xfa0
[89408.373140]  ? clear_bhb_loop+0x60/0xb0
[89408.373647]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[89408.378887]  </TASK>
<snip>

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	6.7 ≤ 𝑥 < 6.18.6
linux	linux_kernel	6.19:rc1
linux	linux_kernel	6.19:rc2
linux	linux_kernel	6.19:rc3
linux	linux_kernel	6.19:rc4

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-default

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-default-base

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1.150700.17.21.1 fixed

kernel-docs

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-macros

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-source

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-source-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-syms

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP7	6.4.0-150700.20.27.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.20.27.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise sap 15 SP7	6.4.0-150700.53.31.1 fixed
suse enterprise server 15 SP7	6.4.0-150700.53.31.1 fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995

https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802

https://git.kernel.org/stable/c/df2790b5228fbd3ed415b70a231cffdad0431618