CVE-2026-22982 Overview
A NULL pointer dereference vulnerability has been discovered in the Linux kernel's Microsemi Ocelot network switch driver (net: mscc: ocelot). The vulnerability occurs in the ocelot_set_aggr_pgids() function when adding a network interface under a Link Aggregation Group (LAG). This issue is similar to a previously resolved vulnerability in the lan966x driver (Commit 15faa1f67ab4).
Critical Impact
System crash or denial of service when adding network interfaces to LAG configurations on affected Ocelot-based network switches.
Affected Products
- Linux kernel with Microsemi Ocelot driver (ocelot_vsc7514.c frontend)
- Systems using Ocelot-based network switches with LAG configurations
- Network infrastructure utilizing the affected ocelot driver module
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-22982 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22982
Vulnerability Analysis
This vulnerability is a NULL pointer dereference issue within the Linux kernel's Ocelot network switch driver. The ocelot_set_aggr_pgids() function fails to properly validate port pointers before accessing them, leading to a kernel crash when the code attempts to dereference a NULL pointer.
The issue specifically affects the ocelot_vsc7514.c frontend implementation, which leaves unused ports as NULL pointers in its internal data structures. When a network interface is added under a LAG configuration, the function iterates through ports without checking if each port pointer is valid, causing a crash when it encounters a NULL entry.
The felix_vsc9959.c frontend is unaffected by this vulnerability because it utilizes the DSA (Distributed Switch Architecture) framework, which properly registers all ports regardless of their usage state.
Root Cause
The root cause of this vulnerability is improper input validation in the ocelot_set_aggr_pgids() function. The code assumes all port array entries contain valid pointers, but the ocelot_vsc7514.c frontend initializes unused ports as NULL. When the function processes these NULL entries during LAG operations, the resulting NULL pointer dereference triggers a kernel panic.
Attack Vector
The vulnerability can be triggered when an administrator or privileged user attempts to add a network interface under a LAG configuration on an affected system. While local access and elevated privileges are typically required to configure network interfaces, the resulting system crash leads to denial of service.
The attack flow involves:
- A system running the affected Linux kernel with the Ocelot driver loaded
- Initiating a LAG configuration that involves the ocelot_set_aggr_pgids() function
- The function encounters a NULL port pointer in its iteration
- Kernel crash occurs due to NULL pointer dereference
The vulnerability mechanism involves the iteration over port structures without proper NULL checks. When the ocelot_vsc7514.c driver is in use, unused ports remain as NULL pointers, and accessing these during LAG operations causes the kernel to crash. The fix involves adding a validation check to verify that the port pointer is valid before attempting to access its members. For detailed implementation, refer to the kernel patch commits.
Detection Methods for CVE-2026-22982
Indicators of Compromise
- Kernel panic logs referencing ocelot_set_aggr_pgids() function
- System crashes occurring when configuring LAG interfaces on Ocelot-based switches
- Crash dumps showing NULL pointer dereference in the mscc_ocelot or related kernel modules
- Repeated system reboots during network configuration activities
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for NULL pointer dereference errors in the ocelot driver
- Implement system stability monitoring to detect unexpected crashes during network configuration
- Review loaded kernel modules for ocelot_vsc7514 presence using lsmod
- Deploy kernel-level crash analysis tools to identify ocelot-related crashes
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information
- Configure log aggregation for kernel panic messages across affected systems
- Monitor for abnormal system reboot patterns on network infrastructure devices
- Implement alerting for kernel oops or panic events related to network drivers
How to Mitigate CVE-2026-22982
Immediate Actions Required
- Apply the kernel patches from the stable kernel branches immediately
- Avoid configuring LAG interfaces on affected systems until patches are applied
- Consider temporarily using alternative network configurations that don't require LAG
- Schedule maintenance windows to update kernel on affected network infrastructure
Patch Information
Multiple patches have been released to address this vulnerability across various stable Linux kernel branches. The fix adds proper NULL pointer validation before accessing port structures in the ocelot_set_aggr_pgids() function.
Relevant kernel commits:
- Commit 03fb1708b7d1
- Commit 2985712dc76d
- Commit 34f3ff52cb9f
- Commit 8767f238b0e6
- Commit b17818307446
- Commit f490af47bbee
Update your Linux kernel to a version that includes these patches from your distribution's package repository.
Workarounds
- Disable or avoid using LAG configurations on systems with the ocelot_vsc7514 driver until patches can be applied
- Consider using the felix_vsc9959 frontend with DSA framework if hardware supports it, as it is unaffected
- Implement network redundancy at higher layers to avoid LAG dependency on affected switches
- Blacklist the vulnerable driver module if the affected hardware is not in production use
# Check if the vulnerable module is loaded
lsmod | grep -E "ocelot|mscc"
# Update kernel on Debian/Ubuntu systems
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# Update kernel on RHEL/CentOS systems
sudo yum update kernel
# Verify kernel version after update
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
