CVE-2026-23041 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's Broadcom bnxt_en network driver. The vulnerability occurs during error cleanup in the bnxt_init_one() initialization function when the error path improperly orders resource cleanup operations, leading to a kernel crash.
Critical Impact
Successful exploitation can cause kernel panic and system denial of service when the Broadcom NetXtreme-E network adapter driver encounters initialization failures.
Affected Products
- Linux kernel with Broadcom bnxt_en network driver
- Systems using Broadcom NetXtreme-E/NetXtreme-C network adapters
- Linux kernel versions prior to the fix commit
Discovery Timeline
- 2026-02-04 - CVE-2026-23041 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2026-23041
Vulnerability Analysis
This vulnerability is a NULL pointer dereference that occurs in the bnxt_en driver's error handling path during device initialization. The root cause lies in the improper ordering of cleanup operations when bnxt_init_one() encounters an error.
When initialization fails (for example, when bnxt_init_int_mode returns -ENODEV), the error handling code calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is invoked, which calls ptp_clock_unregister().
Due to a behavioral change introduced in commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), the PTP clock unregistration now invokes ptp_disable_all_events(), which triggers the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing unregistration.
The bnxt_ptp_enable() function attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from the already-destroyed bp->hwrm_dma_pool, causing a NULL pointer dereference and subsequent kernel crash.
Root Cause
The vulnerability stems from improper resource cleanup ordering in the bnxt_init_one() error path. The HWRM DMA pool resources are freed before the PTP subsystem is properly unregistered, creating a use-after-free-like condition where the PTP cleanup code attempts to use resources that have already been deallocated. The fix requires clearing and unregistering PTP (bnxt_ptp_clear()) before freeing HWRM resources.
Attack Vector
The vulnerability can be triggered locally when the bnxt_en driver encounters initialization errors. While this is primarily a reliability issue rather than a remote attack vector, it can result in denial of service through kernel panic. The crash occurs in the following call chain:
The initialization failure triggers bnxt_free_hwrm_resources() which destroys the DMA pool, followed by bnxt_ptp_clear() calling ptp_clock_unregister(). This eventually leads to bnxt_ptp_enable() attempting memory allocation from the NULL bp->hwrm_dma_pool, causing a kernel KASAN null-pointer-dereference in the address range 0x0000000000000028-0x000000000000002f.
Detection Methods for CVE-2026-23041
Indicators of Compromise
- Kernel panic messages containing "KASAN: null-ptr-deref" with references to hwrm_req_init
- System logs showing bnxt_init_int_mode err: ffffffed followed by crash traces
- Call traces involving __hwrm_req_init, bnxt_ptp_enable, and ptp_clock_unregister
Detection Strategies
- Monitor kernel logs for bnxt_en driver initialization errors followed by NULL pointer dereference crashes
- Deploy kernel crash dump analysis to identify patterns matching the ptp_disable_all_events to hwrm_req_init call chain
- Implement watchdog monitoring for unexpected system reboots on systems with Broadcom network adapters
Monitoring Recommendations
- Enable KASAN (Kernel Address Sanitizer) in development/testing environments to catch similar issues early
- Configure kdump or netdump for crash analysis on production systems with affected network hardware
- Monitor for repeated driver initialization failures in /var/log/kern.log or equivalent system logs
How to Mitigate CVE-2026-23041
Immediate Actions Required
- Apply the kernel patches from the official Linux kernel stable branches
- If immediate patching is not possible, consider using alternative network drivers or hardware temporarily
- Monitor affected systems for unexpected crashes during boot or network reconfiguration
Patch Information
The Linux kernel maintainers have released fixes for this vulnerability. The patches reorder the cleanup operations to ensure bnxt_ptp_clear() is called before bnxt_free_hwrm_resources(), preventing the NULL pointer dereference.
Patches are available at:
Workarounds
- Ensure network adapter firmware is up to date to reduce initialization failure likelihood
- If driver load fails repeatedly, blacklist the bnxt_en module and use alternative networking until patched kernels can be deployed
- Consider configuring systems to continue boot without the affected network device if initialization fails
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
