CVE-2026-23084 Overview
CVE-2026-23084 is a NULL pointer dereference vulnerability in the Linux kernel's be2net Emulex BladeEngine 10Gb Ethernet driver. The flaw resides in the be_cmd_get_mac_from_list() function, which writes a firmware-provided PMAC_ID to a caller-supplied pointer when pmac_id_valid is set to false. A code path inside the driver invokes this function with both pmac_id_valid == false and pmac_id == NULL, causing the kernel to dereference a NULL pointer. The fix passes the address of a stub variable to satisfy the function's contract. This issue affects Linux kernel 6.19 release candidates and several earlier stable branches receiving backports.
Critical Impact
A local user on a system using the be2net driver can trigger a kernel NULL pointer dereference, causing a kernel oops and denial of service on the affected host.
Affected Products
- Linux kernel 6.19-rc1 through 6.19-rc6
- Linux kernel stable branches receiving the seven backport commits referenced by kernel.org
- Systems loading the be2net driver for Emulex BladeEngine 10Gb Ethernet adapters
Discovery Timeline
- 2026-02-04 - CVE-2026-23084 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-23084
Vulnerability Analysis
The be2net driver provides kernel support for Emulex BladeEngine 10Gb Ethernet network adapters. Inside be_cmd_get_mac_from_list(), the pmac_id_valid parameter governs whether the driver supplies a known PMAC_ID to firmware or queries firmware for one. When pmac_id_valid is false, the function expects a valid output pointer at pmac_id and writes the firmware-returned identifier to that address. The function contract treats this output pointer as mandatory in that mode.
A caller in the driver invoked be_cmd_get_mac_from_list() with pmac_id_valid = false and pmac_id = NULL, violating the contract. The subsequent store to *pmac_id dereferences a NULL pointer in kernel mode, triggering an oops. The defect is classified as [CWE-476] NULL Pointer Dereference. The upstream fix introduces a local stub variable and passes its address, ensuring the firmware response always has a valid destination.
Root Cause
The root cause is an API contract violation between the caller and be_cmd_get_mac_from_list(). The function unconditionally writes through pmac_id when pmac_id_valid is false, but lacks a NULL check on the output pointer. The caller, in turn, passed NULL because it did not need the returned identifier, exposing the missing guard.
Attack Vector
Exploitation requires local access to a system with the be2net driver loaded and bound to a supported network adapter. A low-privileged local user who can reach a code path that invokes the affected function — for example through certain MAC address management or interface configuration operations — can induce the NULL dereference. The impact is limited to kernel availability: the system panics or oopses, terminating workloads on that host. The flaw does not provide confidentiality or integrity impact and is not remotely reachable across the network.
No public proof-of-concept, exploit database entry, or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-23084
Indicators of Compromise
- Kernel oops or panic messages referencing be_cmd_get_mac_from_list or be2net in dmesg or /var/log/kern.log
- Unexpected NULL pointer dereference call traces originating from the be2net module
- Sudden loss of network connectivity on Emulex BladeEngine adapters accompanied by driver fault traces
Detection Strategies
- Inventory hosts where lsmod | grep be2net shows the driver loaded against running kernel versions matching the affected branches
- Parse kernel ring buffers for BUG: kernel NULL pointer dereference events with stack frames inside be2net
- Correlate host crash and reboot telemetry with be2net driver activity to surface repeated availability events
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on Oops, Call Trace, and RIP: entries tied to the driver
- Track kernel package versions across the fleet and flag systems running unpatched 6.19-rc builds or stable branches lacking the backport commits
- Monitor network interface flap rates and host uptime for Emulex BladeEngine-equipped servers
How to Mitigate CVE-2026-23084
Immediate Actions Required
- Apply the upstream kernel patches referenced by the kernel.org commits as soon as your distribution releases updated packages
- Identify hosts using the be2net driver and prioritize them for the kernel update cycle
- Restrict local shell access on affected hosts to trusted administrators until patching is complete
Patch Information
The fix is available in the Linux kernel mainline and is being backported to maintained stable branches. Apply the patches from the following commits: Linux Kernel Commit 31410a0, Linux Kernel Commit 47ffb4d, Linux Kernel Commit 4cba480, Linux Kernel Commit 6c3e008, Linux Kernel Commit 8215794, Linux Kernel Commit 92c6dc1, and Linux Kernel Commit e206fb4. Consume the patched kernel through your distribution's update channel rather than applying patches manually in production.
Workarounds
- Unload the be2net driver with modprobe -r be2net on systems that do not require Emulex BladeEngine adapters
- Blacklist the module by adding blacklist be2net to a file under /etc/modprobe.d/ where the driver is unused
- Limit local account provisioning on affected hosts and enforce least-privilege access until the patched kernel is deployed
# Configuration example
# Verify whether the affected driver is loaded
lsmod | grep be2net
# Temporarily unload the driver if the adapter is not in use
sudo modprobe -r be2net
# Persistently blacklist the module on hosts that do not require it
echo 'blacklist be2net' | sudo tee /etc/modprobe.d/disable-be2net.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
