CVE-2026-23438

EUVD-2026-18679

03.04.2026, 16:16

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: guard flow control update with global_tx_fc in buffer switching

mvpp2_bm_switch_buffers() unconditionally calls
mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
shared buffer pool modes. This function programs CM3 flow control
registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
priv->cm3_base without any NULL check.

When the CM3 SRAM resource is not present in the device tree (the
third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
NULL and priv->global_tx_fc is false. Any operation that triggers
mvpp2_bm_switch_buffers(), for example an MTU change that crosses
the jumbo frame threshold, will crash:

  Unable to handle kernel NULL pointer dereference at
  virtual address 0000000000000000
  Mem abort info:
    ESR = 0x0000000096000006
    EC = 0x25: DABT (current EL), IL = 32 bits
  pc : readl+0x0/0x18
  lr : mvpp2_cm3_read.isra.0+0x14/0x20
  Call trace:
   readl+0x0/0x18
   mvpp2_bm_pool_update_fc+0x40/0x12c
   mvpp2_bm_pool_update_priv_fc+0x94/0xd8
   mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
   mvpp2_change_mtu+0x140/0x380
   __dev_set_mtu+0x1c/0x38
   dev_set_mtu_ext+0x78/0x118
   dev_set_mtu+0x48/0xa8
   dev_ifsioc+0x21c/0x43c
   dev_ioctl+0x2d8/0x42c
   sock_ioctl+0x314/0x378

Every other flow control call site in the driver already guards
hardware access with either priv->global_tx_fc or port->tx_fc.
mvpp2_bm_switch_buffers() is the only place that omits this check.

Add the missing priv->global_tx_fc guard to both the disable and
re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
rest of the driver.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.12.1 ≤ 𝑥 < 5.15.203
linux	linux_kernel	5.16 ≤ 𝑥 < 6.1.167
linux	linux_kernel	6.2 ≤ 𝑥 < 6.6.130
linux	linux_kernel	6.7 ≤ 𝑥 < 6.12.78
linux	linux_kernel	6.13 ≤ 𝑥 < 6.18.20
linux	linux_kernel	6.19 ≤ 𝑥 < 6.19.10
linux	linux_kernel	5.12
linux	linux_kernel	7.0:rc1
linux	linux_kernel	7.0:rc2
linux	linux_kernel	7.0:rc3
linux	linux_kernel	7.0:rc4
linux	linux_kernel	7.0:rc5
linux	linux_kernel	7.0:rc6
linux	linux_kernel	7.0:rc7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.170-3 fixed
bookworm (security)	6.1.172-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.251-5 fixed
forky	7.0.7-1 fixed
sid	7.0.7-1 fixed
trixie	6.12.86-1 fixed
trixie (security)	6.12.88-1 fixed

linux-6.1

bullseye (security)

6.1.172-1~deb11u1

fixed

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/0cfcd31f98fc608dc9406bff3fee3a9dd364d014

https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f

https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9

https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723

https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f

https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29

https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750