CVE-2026-22985 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's idpf (Intel Data Plane Function) network driver. The vulnerability occurs when ethtool operations such as rxhash on/off are performed before the network interface is brought up for the first time. The RSS (Receive Side Scaling) LUT (Lookup Table) is not initialized until the interface comes up, resulting in a kernel crash when early ethtool operations attempt to access the uninitialized memory.
Critical Impact
Local users can trigger a kernel panic and system crash by performing ethtool operations on idpf interfaces before they are brought up, leading to a denial of service condition.
Affected Products
- Linux kernel with idpf driver
- Systems using Intel Infrastructure Processing Unit (IPU) network interfaces
- Linux distributions with idpf kernel module enabled
Discovery Timeline
- 2026-01-23 - CVE CVE-2026-22985 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2026-22985
Vulnerability Analysis
This vulnerability is a NULL pointer dereference in the idpf network driver that affects the kernel's stability. The root issue stems from improper initialization ordering where the RSS LUT data structure is only allocated and initialized during the ndo_open operation (when the interface is brought up), but ethtool commands can be issued against the interface before this initialization occurs.
When a user executes ethtool commands like ethtool -K eth2 rxhash off on an idpf interface that has never been brought up, the driver's idpf_set_features() function attempts to access the RSS LUT structure via a memcpy_orig operation. Since the LUT pointer is NULL at this stage, the kernel triggers a page fault resulting in a BUG (kernel panic).
The crash manifests with the following stack trace signature: the idpf_set_features() function calls into memory copy operations that dereference the NULL LUT pointer, originating from netlink-based ethtool feature setting operations through ethnl_set_features().
Root Cause
The fundamental issue is an initialization race condition in the idpf driver's lifecycle management. The RSS LUT allocation was deferred to the ndo_open callback, which is only invoked when the interface transitions to an UP state. However, the driver's feature setting functions (idpf_set_features) do not validate whether the LUT has been initialized before attempting to access it. This missing NULL check combined with the deferred initialization creates a window where NULL pointer access is possible.
Attack Vector
The vulnerability can be triggered locally through the following sequence:
- The idpf driver is loaded via modprobe idpf, creating network interfaces
- Before the interface is brought up with ip link set eth2 up, an ethtool command is issued
- Commands like ethtool -K eth2 rxhash off trigger the idpf_set_features() function
- The function attempts to access the uninitialized RSS LUT, causing a NULL pointer dereference
- The kernel panics with an Oops message, crashing the system
This is a local denial of service attack requiring the ability to execute ethtool commands on the affected interface.
Detection Methods for CVE-2026-22985
Indicators of Compromise
- Kernel panic logs containing BUG: kernel NULL pointer dereference with address 0000000000000000
- Stack traces showing idpf_set_features and memcpy_orig functions
- Oops messages with #PF: supervisor read access in kernel mode and error_code(0x0000) - not-present page
- System crashes occurring immediately after ethtool operations on idpf interfaces
Detection Strategies
- Monitor kernel logs for NULL pointer dereference events in the idpf driver module
- Implement auditd rules to track ethtool command execution against idpf-managed interfaces
- Set up kernel crash dump analysis to identify the idpf_set_features function in crash traces
- Deploy endpoint detection for repeated system reboots correlated with network driver operations
Monitoring Recommendations
- Configure kdump or crash dump collection to capture kernel panics for forensic analysis
- Enable kernel tracing on idpf module functions during troubleshooting
- Monitor for unusual patterns of ethtool commands executed before interface initialization
- Implement SentinelOne Singularity agent for real-time kernel-level threat detection and system stability monitoring
How to Mitigate CVE-2026-22985
Immediate Actions Required
- Apply the kernel patches from the stable kernel tree immediately
- Ensure network interfaces are brought up before performing any ethtool configuration
- Restrict access to ethtool commands to trusted administrators only
- Consider temporarily unloading the idpf module on systems where patching is delayed
Patch Information
The fix has been committed to the Linux kernel stable tree. The patch moves RSS LUT initialization from ndo_open to vport creation, ensuring the LUT is always available regardless of interface state. The fix simplifies LUT management by maintaining changes in the driver's soft copy and deferring hardware programming until the interface comes up.
Relevant kernel commits:
Workarounds
- Always bring up idpf interfaces with ip link set <interface> up before running ethtool commands
- Implement startup scripts that ensure proper interface initialization order
- Use network namespace isolation to restrict access to vulnerable interfaces
- Consider disabling the idpf module on systems that do not require Intel IPU functionality
# Configuration example
# Ensure interface is up before ethtool operations
ip link set eth2 up
sleep 1
ethtool -K eth2 rxhash off
# Alternative: Add to network startup scripts
# /etc/network/if-pre-up.d/idpf-init
#!/bin/bash
# Bring interface up before any configuration
ip link set $IFACE up || true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
