Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-53289

Gravedad:
Pendiente de análisis
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
26/06/2026
Última modificación:
30/06/2026

Descripción

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ice: fix NULL pointer dereference in ice_reset_all_vfs()<br /> <br /> ice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().<br /> When the VSI rebuild fails (e.g. during NVM firmware update via<br /> nvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,<br /> leaving txq_map and rxq_map as NULL. The subsequent unconditional call<br /> to ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in<br /> ice_ena_vf_q_mappings() when it accesses vsi-&gt;txq_map[0].<br /> <br /> The single-VF reset path in ice_reset_vf() already handles this<br /> correctly by checking the return value of ice_vf_reconfig_vsi() and<br /> skipping ice_vf_post_vsi_rebuild() on failure.<br /> <br /> Apply the same pattern to ice_reset_all_vfs(): check the return value<br /> of ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and<br /> ice_eswitch_attach_vf() on failure. The VF is left safely disabled<br /> (ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can<br /> be recovered via a VFLR triggered by a PCI reset of the VF<br /> (sysfs reset or driver rebind).<br /> <br /> Note that this patch does not prevent the VF VSI rebuild from failing<br /> during NVM update — the underlying cause is firmware being in a<br /> transitional state while the EMP reset is processed, which can cause<br /> Admin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This<br /> patch only prevents the subsequent NULL pointer dereference that<br /> crashes the kernel when the rebuild does fail.<br /> <br /> crash&gt; bt<br /> PID: 50795 TASK: ff34c9ee708dc680 CPU: 1 COMMAND: "kworker/u512:5"<br /> #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee<br /> #1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba<br /> #2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540<br /> #3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda<br /> #4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997<br /> #5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595<br /> #6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2<br /> [exception RIP: ice_ena_vf_q_mappings+0x79]<br /> RIP: ffffffffc0a85b29 RSP: ff72159bcfe5bdc8 RFLAGS: 00010206<br /> RAX: 00000000000f0000 RBX: ff34c9efc9c00000 RCX: 0000000000000000<br /> RDX: 0000000000000000 RSI: 0000000000000010 RDI: ff34c9efc9c00000<br /> RBP: ff34c9efc27d4828 R8: 0000000000000093 R9: 0000000000000040<br /> R10: ff34c9efc27d4828 R11: 0000000000000040 R12: 0000000000100000<br /> R13: 0000000000000010 R14: R15:<br /> ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018<br /> #7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]<br /> #8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]<br /> #9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]<br /> #10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4<br /> #11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de<br /> #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663<br /> #13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9<br /> <br /> The panic occurs attempting to dereference the NULL pointer in RDX at<br /> ice_sriov.c:294, which loads vsi-&gt;txq_map (offset 0x4b8 in ice_vsi).<br /> <br /> The faulting VSI is an allocated slab object but not fully initialized<br /> after a failed ice_vsi_rebuild():<br /> <br /> crash&gt; struct ice_vsi 0xff34c9efc27d4828<br /> netdev = 0x0,<br /> rx_rings = 0x0,<br /> tx_rings = 0x0,<br /> q_vectors = 0x0,<br /> txq_map = 0x0,<br /> rxq_map = 0x0,<br /> alloc_txq = 0x10,<br /> num_txq = 0x10,<br /> alloc_rxq = 0x10,<br /> num_rxq = 0x10,<br /> <br /> The nvmupdate64e process was performing NVM firmware update:<br /> <br /> crash&gt; bt 0xff34c9edd1a30000<br /> PID: 49858 TASK: ff34c9edd1a30000 CPU: 1 COMMAND: "nvmupdate64e"<br /> #0 [ff72159bcd617618] __schedule at ffffffffab5333f8<br /> #4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]<br /> #5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]<br /> #6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]<br /> #7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]<br /> #8 <br /> ---truncated---

Impacto