CVE-2026-23000

// CVE-2026-23000 PoC - Trigger NULL pointer dereference via failed profile rollback // This PoC demonstrates the conditions required to trigger the vulnerability #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <netlink/netlink.h> #include <netlink/genl/genl.h> #include <netlink/genl/family.h> #include <netlink/genl/ctrl.h> #define DEVLINK_FAMILY_NAME "devlink" // Simulate the conditions that lead to NULL priv void simulate_failed_profile_change() { // Step 1: Initial switchdev mode change attempt printf("[+] Attempting first switchdev mode change...\n"); // This would fail due to mlx5e_priv_init failure (e.g., -EINTR creating rescuer kthread) // The profile change fails and rollback also fails printf("[!] First attempt failed, rollback failed, priv is now NULL\n"); // Step 2: Retry the switchdev mode change printf("[+] Retrying switchdev mode change (this triggers NULL dereference)...\n"); /* * In actual exploitation: * - mlx5e_netdev_change_profile() is called again * - mlx5e_detach_netdev() tries to access priv->mdev * - priv is NULL, causing: BUG: kernel NULL pointer dereference at address 0x38 * - System crashes with Oops: 0000 [#1] SMP */ printf("[!] Kernel NULL pointer dereference triggered\n"); } int main() { printf("CVE-2026-23000 PoC - Linux kernel mlx5e NULL pointer dereference\n"); printf("Target: Linux kernel < patched versions\n"); printf("CVSS: 5.5 (Medium)\n\n"); // Check if running with appropriate privileges if (geteuid() != 0) { printf("[!] Warning: This PoC requires root privileges to interact with devlink\n"); } printf("[*] Prerequisites:\n"); printf(" - Mellanox mlx5 network device\n"); printf(" - mlx5_core driver loaded\n"); printf(" - Network device in switchdev mode capable state\n\n"); printf("[*] Attack scenario:\n"); printf(" 1. Trigger first switchdev mode change (will fail)\n"); printf(" 2. First attempt fails to init profile and rollback\n"); printf(" 3. Retry switchdev mode change -> NULL pointer dereference\n\n"); // In real scenario, this would use devlink netlink interface: // ip link set devlink eswitch mode switchdev // The vulnerability is triggered when this operation fails and retries printf("[+] Use 'ip link set <dev> eswitch mode switchdev' to trigger\n"); printf("[+] Check system logs for kernel oops\n"); return 0; }

{"cve": {"id": "CVE-2026-23000", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-01-25T15:15:54.853", "lastModified": "2026-02-24T21:01:41.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash on profile change rollback failure\n\nmlx5e_netdev_change_profile can fail to attach a new profile and can\nfail to rollback to old profile, in such case, we could end up with a\ndangling netdev with a fully reset netdev_priv. A retry to change\nprofile, e.g. another attempt to call mlx5e_netdev_change_profile via\nswitchdev mode change, will crash trying to access the now NULL\npriv->mdev.\n\nThis fix allows mlx5e_netdev_change_profile() to handle previous\nfailures and an empty priv, by not assuming priv is valid.\n\nPass netdev and mdev to all flows requiring\nmlx5e_netdev_change_profile() and avoid passing priv.\nIn mlx5e_netdev_change_profile() check if current priv is valid, and if\nnot, just attach the new profile without trying to access the old one.\n\nThis fixes the following oops, when enabling switchdev mode for the 2nd\ntime after first time failure:\n\n ## Enabling switchdev mode first time:\n\nmlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12\nworkqueue: Failed to create a rescuer kthread for wq \"mlx5e\": -EINTR\nmlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12\nmlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12\n ^^^^^^^^\nmlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0)\n\n ## retry: Enabling switchdev mode 2nd time:\n\nmlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload\nBUG: kernel NULL pointer dereference, address: 0000000000000038\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014\nRIP: 0010:mlx5e_detach_netdev+0x3c/0x90\nCode: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07\nRSP: 0018:ffffc90000673890 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000\nRDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000\nRBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000\nR10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000\nR13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000\nFS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0\nCall Trace:\n <TASK>\n mlx5e_netdev_change_profile+0x45/0xb0\n mlx5e_vport_rep_load+0x27b/0x2d0\n mlx5_esw_offloads_rep_load+0x72/0xf0\n esw_offloads_enable+0x5d0/0x970\n mlx5_eswitch_enable_locked+0x349/0x430\n ? is_mp_supported+0x57/0xb0\n mlx5_devlink_eswitch_mode_set+0x26b/0x430\n devlink_nl_eswitch_set_doit+0x6f/0xf0\n genl_family_rcv_msg_doit+0xe8/0x140\n genl_rcv_msg+0x18b/0x290\n ? __pfx_devlink_nl_pre_doit+0x10/0x10\n ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10\n ? __pfx_devlink_nl_post_doit+0x10/0x10\n ? __pfx_genl_rcv_msg+0x10/0x10\n netlink_rcv_skb+0x52/0x100\n genl_rcv+0x28/0x40\n netlink_unicast+0x282/0x3e0\n ? __alloc_skb+0xd6/0x190\n netlink_sendmsg+0x1f7/0x430\n __sys_sendto+0x213/0x220\n ? __sys_recvmsg+0x6a/0xd0\n __x64_sys_sendto+0x24/0x30\n do_syscall_64+0x50/0x1f0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7fdfb8495047"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net/mlx5e: Soluciona el fallo en el fallo de reversión del cambio de perfil mlx5e_netdev_change_profile puede fallar al adjuntar un nuevo perfil y puede fallar al revertir al perfil antiguo; en tal caso, podríamos terminar con un netdev colgante con un netdev_priv completamente reiniciado. Un reintento de cambiar el perfil, p. ej., otro intento de llamar a mlx5e_netdev_change_profile a través del cambio de modo switchdev, fallará al intentar acceder al ahora NULL priv-&gt;mdev. Esta solución permite a mlx5e_netdev_change_profile() manejar fallos anteriores y un priv vacío, al no asumir que priv es válido. Pase netdev y mdev a todos los flujos qu ... (truncated)