CVE-2026-23070 Overview
A null pointer dereference vulnerability has been identified in the Linux kernel's Octeontx2-af driver component. The vulnerability exists in the firmware data (fwdata) handling mechanism where the kernel accesses shared firmware structures containing MAC address, link modes (supported, advertised), and EEPROM data via MAC block (CGX/RPM). When the system boots without a MAC block present, accessing the firmware data structure leads to kernel panics.
Critical Impact
Local denial of service through kernel panic when accessing firmware data structures on systems booted without MAC block support.
Affected Products
- Linux Kernel (Octeontx2-af driver)
- Marvell OcteonTX CN98XX boards
- Systems utilizing CGX/RPM MAC block firmware interfaces
Discovery Timeline
- February 4, 2026 - CVE-2026-23070 published to NVD
- February 5, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23070
Vulnerability Analysis
This vulnerability is a null pointer dereference issue in the Linux kernel's Octeontx2-af driver. The driver provides an interface for the Resource Virtualization Unit (RVU) which manages hardware resources on Marvell OcteonTX platforms. The firmware populates a shared data structure (fwdata) containing critical information including MAC addresses, supported and advertised link modes, and EEPROM data.
The vulnerability manifests when the kernel attempts to access this firmware data structure on systems that have been booted without a MAC block (CGX/RPM) present. The driver fails to properly validate whether the firmware data structure is accessible before dereferencing pointers within it, leading to a kernel panic with the error code 0000000096000005.
The crash occurs specifically in the rvu_sdp_init+0x18/0x114 function, which is called during the rvu_probe initialization sequence. This indicates the vulnerability is triggered early in the driver initialization process when the system attempts to configure the RVU subsystem.
Root Cause
The root cause of this vulnerability is the absence of proper null checks and validation for the firmware data structure (fwdata) before accessing its members. The kernel code assumes that the firmware data is always available and properly populated, which is not the case on boards booted without MAC block support. This missing input validation allows the driver to dereference a null or invalid pointer when the hardware configuration does not include the expected MAC block components.
Attack Vector
The vulnerability requires local access to the system and is triggered during the kernel driver initialization phase. An attacker with local privileges could potentially exploit this vulnerability to cause a denial of service by:
- Booting the system in a configuration that excludes MAC block support
- Loading or initializing the Octeontx2-af driver
- Triggering the rvu_probe function which leads to the vulnerable rvu_sdp_init call
The kernel panic trace shows the vulnerability is triggered in a workqueue context (kworker/0:3) during the work_for_cpu_fn execution, indicating it can be triggered through normal driver initialization pathways without requiring special privileges beyond those needed to configure kernel modules.
Detection Methods for CVE-2026-23070
Indicators of Compromise
- Kernel panic messages containing rvu_sdp_init function references
- System crash logs showing error code 0000000096000005 with SMP designation
- Unexpected system reboots on Marvell OcteonTX platforms during boot sequence
- Workqueue-related crashes in work_for_cpu_fn during driver initialization
Detection Strategies
- Monitor kernel logs for null pointer dereference errors in the Octeontx2-af driver subsystem
- Implement crash dump analysis to identify patterns matching the rvu_sdp_init crash signature
- Configure kernel crash handlers to capture and alert on driver initialization failures
- Review system boot logs for RVU driver-related errors on affected hardware platforms
Monitoring Recommendations
- Enable kernel crash dump collection on systems running affected kernel versions
- Configure automated alerting for unexpected system reboots on Marvell OcteonTX hardware
- Monitor system stability metrics during driver initialization phases
- Track kernel log entries containing references to octeontx2-af, rvu_probe, or rvu_sdp_init
How to Mitigate CVE-2026-23070
Immediate Actions Required
- Apply the kernel patches from the upstream Linux kernel repository
- Ensure systems are properly configured with MAC block support if using Octeontx2-af driver
- Consider disabling the Octeontx2-af driver module on systems without MAC block hardware
- Review and update kernel versions on affected Marvell OcteonTX platforms
Patch Information
The vulnerability has been resolved in the upstream Linux kernel. Security patches are available through the kernel stable tree. The patches add proper validation checks for the firmware data structure before accessing its members, preventing null pointer dereferences on systems without MAC block support.
Relevant patch commits:
- Kernel Git Commit 4a3dba48188208e4f66822800e042686784d29d1
- Kernel Git Commit e343973fab43c266a40e4e0dabdc4216db6d5eff
Workarounds
- Blacklist the octeontx2_af kernel module on systems that do not require MAC block functionality
- Configure boot parameters to skip RVU driver initialization on affected hardware
- Use an alternative network driver configuration if available for the hardware platform
- Deploy systems with proper MAC block hardware configuration to avoid triggering the vulnerability
# Blacklist the affected module if not required
echo "blacklist octeontx2_af" >> /etc/modprobe.d/blacklist-octeontx2.conf
# Update initramfs to apply module blacklist
update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
