In the Linux kernel, the following vulnerability has been resolved:
fbnic: close fw_log race between users and teardown
Fixes a theoretical race on fwlog between the teardown path and fwlog write functions.
fwlog is written inside fbnicfwlogwrite() and can be reached from the mailbox handler fbnicfwmsixintr(), but fwlog is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable.
Possible Interleaving Scenario: CPU0: fbnicfwmsixintr() // Entry fbnicfwlogwrite() if (fbnicfwlogready()) // true ... preempt ... CPU1: fbnicremove() // Entry fbnicfwlogfree() vfree(log->datastart); log->datastart = NULL; CPU0: continues, walks log->entries or writes to log->datastart
The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45977.json",
"cna_assigner": "Linux"
}