CVE-2026-23210

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23210
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23210.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23210
Downstream
Published
2026-02-14T16:27:31.892Z
Modified
2026-02-14T20:07:25.362489Z
Summary
ice: Fix PTP NULL pointer dereference during VSI rebuild
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix PTP NULL pointer dereference during VSI rebuild

Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings.

The sequence was: 1. iceptpprepareforreset() cancels PTP work 2. iceptprebuild() immediately queues PTP work 3. VSI rebuild happens AFTER iceptprebuild() 4. PTP work runs and accesses NULL vsi->rx_rings

Fix: Keep PTP work cancelled during rebuild, only queue it after VSI rebuild completes in ice_rebuild().

Added iceptpqueuework() helper function to encapsulate the logic for queuing PTP work, ensuring it's only queued when PTP is supported and the state is ICEPTP_READY.

Error log: [ 121.392544] ice 0000:60:00.1: PTP reset successful [ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 121.392712] #PF: supervisor read access in kernel mode [ 121.392720] #PF: errorcode(0x0000) - not-present page [ 121.392727] PGD 0 [ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI [ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary) [ 121.392761] Tainted: [S]=CPUOUTOFSPEC [ 121.392773] RIP: 0010:iceptpupdatecachedphctime+0xbf/0x150 [ice] [ 121.393042] Call Trace: [ 121.393047] <TASK> [ 121.393055] iceptpperiodicwork+0x69/0x180 [ice] [ 121.393202] kthreadworker_fn+0xa2/0x260 [ 121.393216] ? __pfxiceptpperiodicwork+0x10/0x10 [ice] [ 121.393359] ? __pfxkthreadworker_fn+0x10/0x10 [ 121.393371] kthread+0x10d/0x230 [ 121.393382] ? __pfxkthread+0x10/0x10 [ 121.393393] retfrom_fork+0x273/0x2b0 [ 121.393407] ? __pfxkthread+0x10/0x10 [ 121.393417] retfromforkasm+0x1a/0x30 [ 121.393432] </TASK>

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23210.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
803bef817807d2d36c930dada20c96fffae0dd19
Fixed
7565d4df66b6619b50dc36618d8b8f1787d77e19
Fixed
fc6f36eaaedcf4b81af6fe1a568f018ffd530660

Affected versions

v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.18
v6.18-rc1
v6.18-rc2
v6.18-rc3
v6.18-rc4
v6.18-rc5
v6.18-rc6
v6.18-rc7
v6.18.1
v6.18.2
v6.18.3
v6.18.4
v6.18.5
v6.18.6
v6.18.7
v6.18.8
v6.18.9
v6.19-rc1
v6.19-rc2
v6.19-rc3
v6.19-rc4
v6.19-rc5
v6.19-rc6
v6.19-rc7
v6.8
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23210.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.18.10

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23210.json"