In the Linux kernel, the following vulnerability has been resolved:
ice: fix NULL pointer dereference in iceresetall_vfs()
iceresetallvfs() ignores the return value of icevfrebuildvsi(). When the VSI rebuild fails (e.g. during NVM firmware update via nvmupdate64e), icevsirebuild() tears down the VSI on its error path, leaving txqmap and rxqmap as NULL. The subsequent unconditional call to icevfpostvsirebuild() leads to a NULL pointer dereference in iceenavfqmappings() when it accesses vsi->txq_map[0].
The single-VF reset path in iceresetvf() already handles this correctly by checking the return value of icevfreconfigvsi() and skipping icevfpostvsi_rebuild() on failure.
Apply the same pattern to iceresetallvfs(): check the return value of icevfrebuildvsi() and skip icevfpostvsirebuild() and iceeswitchattachvf() on failure. The VF is left safely disabled (ICEVFSTATEINIT not set, VFGEN_RSTAT not set to VFACTIVE) and can be recovered via a VFLR triggered by a PCI reset of the VF (sysfs reset or driver rebind).
Note that this patch does not prevent the VF VSI rebuild from failing during NVM update — the underlying cause is firmware being in a transitional state while the EMP reset is processed, which can cause Admin Queue commands (iceaddvsi, icecfgvsi_lan) to fail. This patch only prevents the subsequent NULL pointer dereference that crashes the kernel when the rebuild does fail.
crash> bt PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5" #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee #1 [ff72159bcfe5bba8] _crashkexec at ffffffffaaa15fba #2 [ff72159bcfe5bc68] crashkexec at ffffffffaaa16540 #3 [ff72159bcfe5bc70] oopsend at ffffffffaa837eda #4 [ff72159bcfe5bc90] pagefaultoops at ffffffffaa893997 #5 [ff72159bcfe5bce8] excpagefault at ffffffffab528595 #6 [ff72159bcfe5bd10] asmexcpagefault at ffffffffab600bb2 [exception RIP: iceenavfqmappings+0x79] RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206 RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000 RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040 R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000 R13: 0000000000000010 R14: R15: ORIGRAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ff72159bcfe5bdf8] icesriovpostvsirebuild at ffffffffc0a85e2e [ice] #8 [ff72159bcfe5be08] iceresetallvfs at ffffffffc0a920b4 [ice] #9 [ff72159bcfe5be48] iceservicetask at ffffffffc0a31519 [ice] #10 [ff72159bcfe5be88] processonework at ffffffffaa93dca4 #11 [ff72159bcfe5bec8] workerthread at ffffffffaa93e9de #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663 #13 [ff72159bcfe5bf50] retfromfork at ffffffffaa8086b9
The panic occurs attempting to dereference the NULL pointer in RDX at icesriov.c:294, which loads vsi->txqmap (offset 0x4b8 in ice_vsi).
The faulting VSI is an allocated slab object but not fully initialized after a failed icevsirebuild():
crash> struct icevsi 0xff34c9efc27d4828 netdev = 0x0, rxrings = 0x0, txrings = 0x0, qvectors = 0x0, txqmap = 0x0, rxqmap = 0x0, alloctxq = 0x10, numtxq = 0x10, allocrxq = 0x10, numrxq = 0x10,
The nvmupdate64e process was performing NVM firmware update:
crash> bt 0xff34c9edd1a30000 PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e" #0 [ff72159bcd617618] _schedule at ffffffffab5333f8 #4 [ff72159bcd617750] icesqsendcmd at ffffffffc0a35347 [ice] #5 [ff72159bcd6177a8] icesqsendcmdretry at ffffffffc0a35b47 [ice] #6 [ff72159bcd617810] iceaqsendcmd at ffffffffc0a38018 [ice] #7 [ff72159bcd617848] iceaqreadnvm at ffffffffc0a40254 [ice] #8 ---truncated---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53289.json",
"cna_assigner": "Linux"
}