{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23438", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.017Z", "datePublished": "2026-04-03T15:15:22.701Z", "dateUpdated": "2026-04-03T15:15:22.701Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-04-03T15:15:22.701Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"], "versions": [{"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "da089f74a993f846685067b14158cb41b879ff29", "status": "affected", "versionType": "git"}, {"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "ff0c54f088f7ab91dbbf47cf8244460f99122750", "status": "affected", "versionType": "git"}, {"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f", "status": "affected", "versionType": "git"}, {"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9", "status": "affected", "versionType": "git"}, {"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "8baced53a35fc9710f80d6ca016a2c418dc3231f", "status": "affected", "versionType": "git"}, {"version": "3a616b92a9d17448d96a33bf58e69f01457fd43a", "lessThan": "8a63baadf08453f66eb582fdb6dd234f72024723", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"], "versions": [{"version": "5.12", "status": "affected"}, {"version": "0", "lessThan": "5.12", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.78", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.20", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.10", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc5", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.12.78"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.18.20"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "6.19.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.12", "versionEndExcluding": "7.0-rc5"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"}, {"url": "https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"}, {"url": "https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"}, {"url": "https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"}, {"url": "https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"}, {"url": "https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"}], "title": "net: mvpp2: guard flow control update with global_tx_fc in buffer switching", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n Unable to handle kernel NULL pointer dereference at\n virtual address 0000000000000000\n Mem abort info:\n ESR = 0x0000000096000006\n EC = 0x25: DABT (current EL), IL = 32 bits\n pc : readl+0x0/0x18\n lr : mvpp2_cm3_read.isra.0+0x14/0x20\n Call trace:\n readl+0x0/0x18\n mvpp2_bm_pool_update_fc+0x40/0x12c\n mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n mvpp2_change_mtu+0x140/0x380\n __dev_set_mtu+0x1c/0x38\n dev_set_mtu_ext+0x78/0x118\n dev_set_mtu+0x48/0xa8\n dev_ifsioc+0x21c/0x43c\n dev_ioctl+0x2d8/0x42c\n sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."}], "id": "CVE-2026-23438", "lastModified": "2026-04-03T16:16:25.540", "metrics": {}, "published": "2026-04-03T16:16:25.540", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,da089f74a993f846685067b14158cb41b879ff29)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,ff0c54f088f7ab91dbbf47cf8244460f99122750)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,8baced53a35fc9710f80d6ca016a2c418dc3231f)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3a616b92a9d17448d96a33bf58e69f01457fd43a,8a63baadf08453f66eb582fdb6dd234f72024723)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "5.12"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,5.12)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.1.167,6.2.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.130,6.7.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.78,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.20,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.10,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc5,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-03T18:25:29.140919+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that includes the MVPP2 driver patch that adds the CM3 SRAM device tree entry and the global_tx_fc guard.", "If a kernel update is not immediately available, adjust the device tree for affected hardware to include the CM3 SRAM memory resource so that priv->cm3_base is set.", "Avoid performing MTU changes that cross the jumbo frame threshold on affected systems until the kernel or device tree is updated."], "summary": {"action": "Immediate Patch", "impact": "Kernel panic (Denial of Service)"}, "threat_synthesis": {"affected_systems": "Linux kernels that include the MVPP2 driver, particularly systems using Marvell Ethernet devices that rely on the MVPP2 packet processor. The issue exists in kernel versions prior to the inclusion of the fix that adds a guard for priv->global_tx_fc and the CM3 SRAM resource entry in the device tree.", "description_and_impact": "The vulnerability arises in the Linux kernel\u2019s MVPP2 network driver when the driver attempts to switch buffer pools during operations such as changing the MTU past the jumbo frame threshold. A missing null\u2010pointer check allows the code to dereference a NULL cm3_base pointer, causing a kernel panic. The impact is a system crash, leading to a denial of service and loss of all network services on the affected machine.", "risk_and_exploitability": "The flaw is exploitable locally by an attacker with privileged control who can trigger an MTU change or any operation that forces the driver to switch buffer pools. No remote attack path is evident from the description. The severity is high due to the complete system crash, and while the EPSS score is unavailable and the vulnerability is not listed in KEV, the local nature of the attack combined with halted services suggests a critical risk if the system\u2019s kernel is not updated."}}}}, "created": "2026-04-03T21:14:00.106620+00:00", "title": "Kernel panic due to null pointer dereference in MVPP2 buffer switching", "updated": "2026-04-03T21:16:13.543565+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-476"]}