CVE-2026-53289

Source
https://cve.org/CVERecord?id=CVE-2026-53289
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53289.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53289
Downstream
Published
2026-06-26T19:40:49.418Z
Modified
2026-07-15T01:48:58.270845811Z
Summary
ice: fix NULL pointer dereference in ice_reset_all_vfs()
Details

In the Linux kernel, the following vulnerability has been resolved:

ice: fix NULL pointer dereference in iceresetall_vfs()

iceresetallvfs() ignores the return value of icevfrebuildvsi(). When the VSI rebuild fails (e.g. during NVM firmware update via nvmupdate64e), icevsirebuild() tears down the VSI on its error path, leaving txqmap and rxqmap as NULL. The subsequent unconditional call to icevfpostvsirebuild() leads to a NULL pointer dereference in iceenavfqmappings() when it accesses vsi->txq_map[0].

The single-VF reset path in iceresetvf() already handles this correctly by checking the return value of icevfreconfigvsi() and skipping icevfpostvsi_rebuild() on failure.

Apply the same pattern to iceresetallvfs(): check the return value of icevfrebuildvsi() and skip icevfpostvsirebuild() and iceeswitchattachvf() on failure. The VF is left safely disabled (ICEVFSTATEINIT not set, VFGEN_RSTAT not set to VFACTIVE) and can be recovered via a VFLR triggered by a PCI reset of the VF (sysfs reset or driver rebind).

Note that this patch does not prevent the VF VSI rebuild from failing during NVM update — the underlying cause is firmware being in a transitional state while the EMP reset is processed, which can cause Admin Queue commands (iceaddvsi, icecfgvsi_lan) to fail. This patch only prevents the subsequent NULL pointer dereference that crashes the kernel when the rebuild does fail.

crash> bt PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5" #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee #1 [ff72159bcfe5bba8] _crashkexec at ffffffffaaa15fba #2 [ff72159bcfe5bc68] crashkexec at ffffffffaaa16540 #3 [ff72159bcfe5bc70] oopsend at ffffffffaa837eda #4 [ff72159bcfe5bc90] pagefaultoops at ffffffffaa893997 #5 [ff72159bcfe5bce8] excpagefault at ffffffffab528595 #6 [ff72159bcfe5bd10] asmexcpagefault at ffffffffab600bb2 [exception RIP: iceenavfqmappings+0x79] RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206 RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000 RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040 R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000 R13: 0000000000000010 R14: R15: ORIGRAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ff72159bcfe5bdf8] icesriovpostvsirebuild at ffffffffc0a85e2e [ice] #8 [ff72159bcfe5be08] iceresetallvfs at ffffffffc0a920b4 [ice] #9 [ff72159bcfe5be48] iceservicetask at ffffffffc0a31519 [ice] #10 [ff72159bcfe5be88] processonework at ffffffffaa93dca4 #11 [ff72159bcfe5bec8] workerthread at ffffffffaa93e9de #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663 #13 [ff72159bcfe5bf50] retfromfork at ffffffffaa8086b9

The panic occurs attempting to dereference the NULL pointer in RDX at icesriov.c:294, which loads vsi->txqmap (offset 0x4b8 in ice_vsi).

The faulting VSI is an allocated slab object but not fully initialized after a failed icevsirebuild():

crash> struct icevsi 0xff34c9efc27d4828 netdev = 0x0, rxrings = 0x0, txrings = 0x0, qvectors = 0x0, txqmap = 0x0, rxqmap = 0x0, alloctxq = 0x10, numtxq = 0x10, allocrxq = 0x10, numrxq = 0x10,

The nvmupdate64e process was performing NVM firmware update:

crash> bt 0xff34c9edd1a30000 PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e" #0 [ff72159bcd617618] _schedule at ffffffffab5333f8 #4 [ff72159bcd617750] icesqsendcmd at ffffffffc0a35347 [ice] #5 [ff72159bcd6177a8] icesqsendcmdretry at ffffffffc0a35b47 [ice] #6 [ff72159bcd617810] iceaqsendcmd at ffffffffc0a38018 [ice] #7 [ff72159bcd617848] iceaqreadnvm at ffffffffc0a40254 [ice] #8 ---truncated---

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53289.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
12bb018c538c3b9a050f69f62fa09fa6c9160bca
Fixed
acc76b97902757b63ba5136f787d107647236a19
Fixed
3ad2471e61e9f0c4d25046d08e3d747501c3b0dd
Fixed
4c2ac52eeeb672624b06c7a135301d7b8a21d52e
Fixed
1e9185b13ce57b86844447e092e58abb3be849b1
Fixed
429024f3a407e4137aee825c2a6be0aba857937d
Fixed
54ef02487914c24170c7e1c061e45212dc55365e

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53289.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.8.0
Fixed
6.1.175
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.141
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.91
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.33
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.10

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53289.json"