CVE-2026-23353

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-23353
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23353.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-23353
Downstream
Published
2026-03-25T10:27:38.167Z
Modified
2026-04-02T13:12:22.905983Z
Summary
ice: fix crash in ethtool offline loopback test
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix crash in ethtool offline loopback test

Since the conversion of ice to page pool, the ethtool loopback test crashes:

BUG: kernel NULL pointer dereference, address: 000000000000000c #PF: supervisor write access in kernel mode #PF: errorcode(0x0002) - not-present page PGD 1100f1067 P4D 0 Oops: Oops: 0002 [#1] SMP NOPTI CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x8664 #1 PREEMPT(lazy) Hardware name: [...] RIP: 0010:iceallocrxbufs+0x1cd/0x310 [ice] Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44 RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000 RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019 R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000 FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0 PKRU: 55555554 Call Trace: <TASK> icevsicfgrxq+0xca/0x460 [ice] icevsicfgrxqs+0x54/0x70 [ice] iceloopbacktest+0xa9/0x520 [ice] iceselftest+0x1b9/0x280 [ice] ethtoolself_test+0xe5/0x200 __devethtool+0x1106/0x1a90 devethtool+0xbe/0x1a0 devioctl+0x258/0x4c0 sockdo_ioctl+0xe3/0x130 __x64sysioctl+0xb9/0x100 dosyscall64+0x7c/0x700 entrySYSCALL64afterhwframe+0x76/0x7e [...]

It crashes because we have not initialized libeth for the rx ring.

Fix it by treating ICEVSILB VSIs slightly more like normal PF VSIs and letting them have a qvector. It's just a dummy, because the loopback test does not use interrupts, but it contains a napi struct that can be passed to libethrxfqcreate() called from icevsicfgrxq() -> icerxqppcreate().

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23353.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
93f53db9f9dc4a16b40ecd18e6d338ad57e4b670
Fixed
85c98b81849e4724ae99005a6cccd33cab9cfd18
Fixed
a9c354e656597aededa027d63d2ff0973f6b033f

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23353.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23353.json"