CVE-2026-22996 Overview
CVE-2026-22996 is a NULL pointer dereference vulnerability [CWE-476] in the Linux kernel's Mellanox net/mlx5e Ethernet driver. The flaw occurs because mlx5e_priv is stored in the mlx5e_dev devlink private data, but this structure can be reset via memset(0) when profile attachment fails. A subsequent devlink dev reload operation triggers mlx5e_remove to dereference stale or zeroed pointers. The result is a kernel oops and denial of service on systems using Mellanox ConnectX network adapters in switchdev mode.
Critical Impact
A local user with privileged devlink access can trigger a kernel NULL pointer dereference in mlx5e_remove, causing a system crash and denial of service on affected hosts.
Affected Products
- Linux kernel 6.19-rc1 through 6.19-rc5
- Systems using the mlx5_core driver with Mellanox ConnectX adapters
- Hosts configured with eswitch switchdev mode via devlink
Discovery Timeline
- 2026-01-25 - CVE-2026-22996 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-22996
Vulnerability Analysis
The mlx5e driver stores a pointer to mlx5e_priv inside the mlx5e_dev devlink private data area. This pointer is used to reference both the netdev and mdev associated with the device. The mlx5e_priv structure is unstable: when profile attachment fails, the driver clears the structure with memset(0), invalidating the embedded pointers.
When a subsequent devlink reload occurs, mlx5e_remove reads from the now-zeroed structure and dereferences a NULL pointer at offset 0x520. The kernel oops trace shows the fault in mlx5e_remove+0x68/0x130, invoked through device_release_driver_internal and mlx5_devlink_reload_down. The trigger sequence is reproducible by attempting devlink dev eswitch set ... mode switchdev against a device where workqueue creation fails, followed by devlink dev reload.
The upstream fix stores netdev directly in mlx5e_dev and obtains mdev from the containing mlx5_adev auxiliary device structure. This decouples devlink state from the unstable mlx5e_priv lifecycle.
Root Cause
The root cause is a lifecycle mismatch between mlx5e_priv and mlx5e_dev. The devlink layer holds a reference that outlives the validity of the mlx5e_priv structure. When profile change rollback fails, the cleared mlx5e_priv is still reachable through devlink, producing a use-after-clear condition mapped to CWE-476.
Attack Vector
Exploitation requires local privileges sufficient to invoke devlink commands, typically CAP_NET_ADMIN or root. An attacker triggers a profile attach failure, for example by forcing a workqueue kthread creation error, then issues devlink dev reload to crash the kernel. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H reflects a local, low-complexity attack with availability impact only.
The vulnerability is not remotely exploitable and does not lead to code execution or information disclosure. The impact is limited to denial of service through kernel panic.
Detection Methods for CVE-2026-22996
Indicators of Compromise
- Kernel log entries containing mlx5e_priv_init failed, err=-12 followed by failed to rollback to orig profile
- Workqueue creation errors of the form workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR
- Kernel oops traces referencing mlx5e_remove+0x68/0x130 with a NULL pointer dereference at address 0x520
- Unexpected system reboots correlated with devlink dev reload or eswitch mode changes
Detection Strategies
- Monitor dmesg and /var/log/kern.log for mlx5_core profile init failures preceding devlink reload events
- Audit invocations of devlink dev eswitch set and devlink dev reload against PCI devices bound to mlx5_core
- Correlate kernel panic crash dumps with the mlx5e_remove call stack to confirm exploitation of this flaw
Monitoring Recommendations
- Forward kernel logs to a centralized logging system and alert on mlx5e profile attach failures
- Track usage of CAP_NET_ADMIN and devlink netlink operations through auditd rules on netlink sockets
- Inspect kdump output after unscheduled reboots on hosts with Mellanox NICs to identify recurrence
How to Mitigate CVE-2026-22996
Immediate Actions Required
- Apply the upstream kernel patches referenced in the kernel.org commits as soon as vendor builds become available
- Restrict CAP_NET_ADMIN and root-equivalent privileges on systems running affected Mellanox drivers
- Avoid running devlink dev reload on hosts where eswitch mode transitions have recently failed
Patch Information
The fix is committed upstream and removes the unsafe storage of mlx5e_priv in mlx5e_dev devlink private data. Refer to Kernel Git Commit 123eda2e, Kernel Git Commit a3d4f87d, and Kernel Git Commit dcb2ad75. Distribution kernels backporting these commits resolve the issue. Update to a kernel build that includes the fix and reboot affected hosts.
Workarounds
- Do not switch eswitch mode to switchdev on systems where resource pressure could cause workqueue creation to fail
- Limit devlink command access to a minimal set of trusted administrators using sudoers or polkit policies
- Disable or unbind the mlx5_core driver on hosts that do not require Mellanox functionality until patches are applied
# Restrict devlink command execution via sudoers
# /etc/sudoers.d/devlink-restrict
%netadmins ALL=(root) /usr/sbin/devlink dev show, /usr/sbin/devlink port show
%netadmins ALL=(root) !/usr/sbin/devlink dev reload *
%netadmins ALL=(root) !/usr/sbin/devlink dev eswitch set *
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
