CVE-2026-43260

Description

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* - VULNERABLE

Linux Kernel (bnxt_en driver versions prior to commits fixing RSS context delete logic)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual PoC for CVE-2026-43260
// This requires a system with a bnxt_en network interface.

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/if.h>

// Pseudo-code representation of the trigger logic
void trigger_vulnerability() {
    // Step 1: Bring the interface UP
    system("ip link set eth0 up");

    // Step 2: Create RSS contexts (Simulated via ethtool or driver ioctl)
    // This allocates VNICs in Firmware
    system("ethtool -X eth0 hkey <some_hash_key>");

    // Step 3: Bring the interface DOWN
    // This triggers the path where if RSS contexts are deleted, 
    // the netif_running() check prevents FW cleanup if deletion happens now.
    // However, the driver might hold contexts.
    system("ip link set eth0 down");

    // Step 4: Delete RSS contexts while interface is DOWN
    // Due to the bug, the FW VNICs associated with these contexts might leak
    // or subsequent restoration will fail.
    system("ethtool -X eth0 delete <context_id>");

    // Step 5: Bring the interface UP again
    // The driver attempts to restore RSS contexts.
    // It tries to create VNICs without reservation, potentially failing.
    system("ip link set eth0 up");

    printf("Vulnerability trigger sequence executed.\n");
    printf("Check dmesg for firmware failures or RSS context loss.\n");
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43260
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43260
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43260/
[4] VulDB https://vuldb.com/cve/CVE-2026-43260
[5] https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8
[6] https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604
[7] https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd
[8] https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43260", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:46.883", "lastModified": "2026-05-08T20:31:55.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RSS context delete logic\n\nWe need to free the corresponding RSS context VNIC\nin FW everytime an RSS context is deleted in driver.\nCommit 667ac333dbb7 added a check to delete the VNIC\nin FW only when netif_running() is true to help delete\nRSS contexts with interface down.\n\nHaving that condition will make the driver leak VNICs\nin FW whenever close() happens with active RSS contexts.\nOn the subsequent open(), as part of RSS context restoration,\nwe will end up trying to create extra VNICs for which we\ndid not make any reservation. FW can fail this request,\nthereby making us lose active RSS contexts.\n\nSuppose an RSS context is deleted already and we try to\nprocess a delete request again, then the HWRM functions\nwill check for validity of the request and they simply\nreturn if the resource is already freed. So, even for\ndelete-when-down cases, netif_running() check is not\nnecessary.\n\nRemove the netif_running() condition check when deleting\nan RSS context."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11", "versionEndExcluding": "6.12.75", "matchCriteriaId": "A05DCA5C-0E7E-47B5-899A-41DDF296199E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}