CVE-2026-22993: Linux Kernel Use-After-Free Vulnerability

CVE-2026-22993 Overview

A NULL pointer dereference vulnerability has been identified in the Linux kernel's idpf (Intel Data Plane Function) driver. The vulnerability occurs during soft reset operations when the RSS (Receive Side Scaling) LUT (Lookup Table) is freed but not properly restored unless the network interface is in an up state. If an ethtool command that accesses the RSS LUT is executed immediately after a soft reset, the system will experience a kernel NULL pointer dereference, potentially leading to system instability or denial of service.

Critical Impact
Local attackers can trigger a kernel panic through NULL pointer dereference by executing ethtool commands after a soft reset, causing denial of service on affected Linux systems.

Affected Products

Linux kernel with idpf driver (Intel Data Plane Function)
Systems using Intel Ethernet network adapters with idpf driver support

Discovery Timeline

2026-01-23 - CVE CVE-2026-22993 published to NVD
2026-01-26 - Last updated in NVD database

Technical Details for CVE-2026-22993

Vulnerability Analysis

This vulnerability represents a classic NULL pointer dereference issue in the Linux kernel's memory management for the idpf network driver. During a soft reset operation, the driver frees the RSS LUT memory structure but fails to properly reinitialize it under certain conditions. Specifically, if the network interface is down during the reset process, the RSS LUT pointer remains NULL.

The vulnerability is triggered when a user issues an ethtool command (such as ethtool -x eth1) that attempts to read the RSS LUT configuration. The idpf_get_rxfh() function, responsible for retrieving RSS hash function settings, dereferences this NULL pointer at offset 0x108, causing a kernel oops with a supervisor read access violation in kernel mode.

The call trace shows the execution path from user space through __x64_sys_sendto → netlink_unicast → genl_rcv → ethnl_default_doit → rss_prepare_data → idpf_get_rxfh, where the final function attempts to access the uninitialized RSS LUT structure.

Root Cause

The root cause lies in the incomplete state restoration logic during soft reset operations in the idpf driver. When a soft reset is triggered (for example, by changing queue counts via ethtool -L), the driver correctly frees the RSS LUT memory to prepare for reconfiguration. However, the restoration logic only repopulates the RSS LUT if the interface is administratively up at the time of reset.

This creates a race condition where:

The interface is brought down (ifconfig eth1 down)
Queue count is changed (ethtool -L eth1 combined 20), triggering soft reset
RSS LUT is freed but not restored because interface is down
User queries RSS configuration (ethtool -x eth1)
Driver attempts to dereference NULL pointer

Additionally, the original code unnecessarily reset the RSS LUT even when the soft reset did not involve queue count changes, introducing unnecessary state transitions.

Attack Vector

The attack requires local access to the system with privileges to execute network configuration commands. An attacker with appropriate permissions can reproduce this vulnerability using the following sequence:

Bring the target network interface down using ifconfig or ip link set down
Modify the queue count using ethtool to trigger a soft reset
Immediately query the RSS LUT configuration while the interface remains down

This sequence reliably triggers the NULL pointer dereference, causing a kernel panic or system crash. The vulnerability is locally exploitable and can be used for denial of service attacks against systems running affected Linux kernel versions with idpf driver loaded.

Detection Methods for CVE-2026-22993

Indicators of Compromise

Kernel oops or panic messages in system logs containing idpf_get_rxfh in the call trace
BUG messages indicating NULL pointer dereference at address 0000000000000000
System crashes following ethtool RSS configuration queries after network interface resets
Kernel log entries showing #PF: supervisor read access in kernel mode associated with idpf module

Detection Strategies

Monitor kernel logs (/var/log/kern.log, dmesg) for NULL pointer dereference messages referencing the idpf driver module
Implement system monitoring for unexpected kernel panics or oops events on systems with Intel network adapters using idpf driver
Deploy audit rules to track ethtool command execution patterns, particularly -x (show RSS) and -L (set channels) flags in sequence
Use kernel tracing tools (ftrace, eBPF) to monitor idpf_get_rxfh function calls and validate RSS LUT state

Monitoring Recommendations

Configure crash dump collection (kdump) to capture kernel state for post-incident analysis
Implement automated alerting for kernel panic events in centralized logging systems
Monitor network interface state transitions combined with ethtool invocations for anomalous patterns
Deploy SentinelOne agents with kernel-level visibility to detect exploitation attempts targeting this vulnerability

How to Mitigate CVE-2026-22993

Immediate Actions Required

Apply the kernel patches from the official kernel git repository as soon as possible
Ensure network interfaces are in an up state before executing RSS configuration queries via ethtool
Restrict access to network configuration commands (ethtool, ifconfig, ip) to trusted administrators only
Consider temporarily disabling or blacklisting the idpf driver if not critical to operations until patches are applied

Patch Information

The Linux kernel development team has released patches to address this vulnerability. The fix modifies the soft reset behavior to:

Set the RSS LUT to default values based on updated queue count only if the reset resulted from a queue count change
Preserve user-configured LUT settings when they exist
Avoid unnecessary RSS LUT manipulation when queue count remains unchanged

Patches are available from the official kernel git repository:

Workarounds

Ensure network interfaces are administratively up (ifconfig eth1 up or ip link set eth1 up) before querying RSS configuration
Implement wrapper scripts for ethtool commands that verify interface state before executing RSS-related queries
Use access control mechanisms (sudo policies, SELinux/AppArmor) to restrict ethtool command execution to authorized users only
Monitor and rate-limit network configuration changes to prevent rapid soft reset sequences

bash

# Workaround: Ensure interface is up before querying RSS configuration
# Check interface state before running ethtool RSS queries
INTERFACE="eth1"
STATE=$(cat /sys/class/net/${INTERFACE}/operstate 2>/dev/null)
if [ "$STATE" != "up" ]; then
    echo "Warning: Interface $INTERFACE is not up. Bringing interface up first."
    ip link set $INTERFACE up
    sleep 1
fi
ethtool -x $INTERFACE

CVE-2026-22993 Overview

Critical Impact
Local attackers can trigger a kernel panic through NULL pointer dereference by executing ethtool commands after a soft reset, causing denial of service on affected Linux systems.

Affected Products

Linux kernel with idpf driver (Intel Data Plane Function)
Systems using Intel Ethernet network adapters with idpf driver support

Discovery Timeline

2026-01-23 - CVE CVE-2026-22993 published to NVD
2026-01-26 - Last updated in NVD database

Technical Details for CVE-2026-22993

Vulnerability Analysis

Root Cause

This creates a race condition where:

The interface is brought down (ifconfig eth1 down)
Queue count is changed (ethtool -L eth1 combined 20), triggering soft reset
RSS LUT is freed but not restored because interface is down
User queries RSS configuration (ethtool -x eth1)
Driver attempts to dereference NULL pointer

Additionally, the original code unnecessarily reset the RSS LUT even when the soft reset did not involve queue count changes, introducing unnecessary state transitions.

Attack Vector

Bring the target network interface down using ifconfig or ip link set down
Modify the queue count using ethtool to trigger a soft reset
Immediately query the RSS LUT configuration while the interface remains down

Detection Methods for CVE-2026-22993

Indicators of Compromise

Kernel oops or panic messages in system logs containing idpf_get_rxfh in the call trace
BUG messages indicating NULL pointer dereference at address 0000000000000000
System crashes following ethtool RSS configuration queries after network interface resets
Kernel log entries showing #PF: supervisor read access in kernel mode associated with idpf module

Detection Strategies

Monitor kernel logs (/var/log/kern.log, dmesg) for NULL pointer dereference messages referencing the idpf driver module
Implement system monitoring for unexpected kernel panics or oops events on systems with Intel network adapters using idpf driver
Deploy audit rules to track ethtool command execution patterns, particularly -x (show RSS) and -L (set channels) flags in sequence
Use kernel tracing tools (ftrace, eBPF) to monitor idpf_get_rxfh function calls and validate RSS LUT state

Monitoring Recommendations

Configure crash dump collection (kdump) to capture kernel state for post-incident analysis
Implement automated alerting for kernel panic events in centralized logging systems
Monitor network interface state transitions combined with ethtool invocations for anomalous patterns
Deploy SentinelOne agents with kernel-level visibility to detect exploitation attempts targeting this vulnerability

How to Mitigate CVE-2026-22993

Immediate Actions Required

Apply the kernel patches from the official kernel git repository as soon as possible
Ensure network interfaces are in an up state before executing RSS configuration queries via ethtool
Restrict access to network configuration commands (ethtool, ifconfig, ip) to trusted administrators only
Consider temporarily disabling or blacklisting the idpf driver if not critical to operations until patches are applied

Patch Information

The Linux kernel development team has released patches to address this vulnerability. The fix modifies the soft reset behavior to:

Set the RSS LUT to default values based on updated queue count only if the reset resulted from a queue count change
Preserve user-configured LUT settings when they exist
Avoid unnecessary RSS LUT manipulation when queue count remains unchanged

Patches are available from the official kernel git repository:

Workarounds

Ensure network interfaces are administratively up (ifconfig eth1 up or ip link set eth1 up) before querying RSS configuration
Implement wrapper scripts for ethtool commands that verify interface state before executing RSS-related queries
Use access control mechanisms (sudo policies, SELinux/AppArmor) to restrict ethtool command execution to authorized users only
Monitor and rate-limit network configuration changes to prevent rapid soft reset sequences

bash

# Workaround: Ensure interface is up before querying RSS configuration
# Check interface state before running ethtool RSS queries
INTERFACE="eth1"
STATE=$(cat /sys/class/net/${INTERFACE}/operstate 2>/dev/null)
if [ "$STATE" != "up" ]; then
    echo "Warning: Interface $INTERFACE is not up. Bringing interface up first."
    ip link set $INTERFACE up
    sleep 1
fi
ethtool -x $INTERFACE

CVE-2026-22993: Linux Kernel Use-After-Free Vulnerability

CVE-2026-22993 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-22993

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-22993

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-22993

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-22993: Linux Kernel Use-After-Free Vulnerability

CVE-2026-22993 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-22993

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-22993

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-22993

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform