CVE-2026-23117 Overview
A vulnerability has been identified in the Linux kernel's ice network driver that can result in a NULL pointer dereference during driver operations. The issue stems from a missing ice_deinit_hw() call in the devlink reinit path, which causes hardware initialization failures and subsequent system instability when the driver is removed.
Critical Impact
System instability and potential denial of service through NULL pointer dereference when performing devlink-reload operations on Intel ice network adapters, followed by driver removal.
Affected Products
- Linux kernel ice network driver
- Systems utilizing Intel Ethernet Controller E800 Series adapters
- Linux distributions with affected kernel versions
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23117 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23117
Vulnerability Analysis
This vulnerability affects the Linux kernel's ice network driver, which manages Intel Ethernet Controller E800 Series network adapters. The issue manifests when a devlink-reload operation is performed, resulting in an ice_init_hw failed error with return code -16 (-EBUSY). Subsequently, attempting to remove the ice driver triggers a NULL pointer dereference, causing system instability.
The error trace indicates the crash occurs within the ice_unload() function at offset 0x8f/0x100, called from ice_remove() at offset 0xba/0x300. This represents a failure in the driver's hardware deinitialization sequence during module removal.
Root Cause
The root cause is a regression introduced by commit 1390b8b3d2be ("ice: remove duplicate call to ice_deinit_hw() on error paths"), which removed the ice_deinit_hw() function call from ice_deinit_dev(). This change broke the symmetry between initialization and deinitialization in the devlink reinit path.
Specifically, ice_devlink_reinit_down() no longer calls ice_deinit_hw(), while ice_devlink_reinit_up() still calls ice_init_hw(). This asymmetry means that control queues are not properly uninitialized before reinitialization is attempted. When ice_init_hw() attempts to reinitialize hardware resources that are already in use, it fails with -EBUSY (error code -16), leaving the driver in an inconsistent state.
Attack Vector
The vulnerability requires local access to the system with sufficient privileges to perform devlink operations on network devices. An attacker with administrative access could trigger this vulnerability through the following sequence:
- Execute a devlink-reload operation on an affected ice network device
- Observe the ice_init_hw failed: -16 error indicating the hardware reinitialization failure
- Attempt to remove the ice driver module (e.g., modprobe -r ice)
- The NULL pointer dereference occurs during driver removal, potentially causing system instability or kernel panic
While this requires local administrative privileges, it could be leveraged for denial of service attacks on systems where an attacker has gained elevated access.
Detection Methods for CVE-2026-23117
Indicators of Compromise
- Kernel log messages showing ice_init_hw failed: -16 errors after devlink operations
- System crashes or kernel panics with call traces referencing ice_unload and ice_remove functions
- Unexpected behavior when performing devlink reload on Intel E800 series network adapters
- Kernel oops messages indicating NULL pointer dereference in the ice driver module
Detection Strategies
- Monitor system logs for ice_init_hw failed errors with error code -16
- Implement kernel log monitoring for NULL pointer dereference events in the ice driver module
- Track devlink operations on ice network devices for unusual patterns or repeated failures
- Use kernel tracing tools to monitor ice driver function calls during reload operations
Monitoring Recommendations
- Configure system monitoring to alert on kernel oops or panic events related to network drivers
- Implement log aggregation for dmesg output filtering for ice driver errors
- Monitor driver module load/unload events, particularly for the ice module
- Set up automated checks for driver initialization failures after devlink operations
How to Mitigate CVE-2026-23117
Immediate Actions Required
- Apply the kernel patch that adds ice_deinit_hw() to ice_devlink_reinit_down()
- Avoid performing devlink-reload operations on affected systems until patched
- Update to a kernel version containing the fix commits
- Consider temporarily disabling devlink reload functionality if updates cannot be immediately applied
Patch Information
The vulnerability has been resolved in the Linux kernel through commits that restore the proper ice_deinit_hw() call in the devlink reinit path. The fix ensures that hardware deinitialization is properly performed before reinitialization, maintaining the symmetry between ice_devlink_reinit_down() and ice_devlink_reinit_up().
Patch commits are available from the kernel Git repository:
System administrators should update their kernel packages through their distribution's package manager or apply the patches directly if building custom kernels.
Workarounds
- Avoid using devlink reload commands on systems with the ice driver until the kernel is patched
- If devlink-reload is required, reboot the system rather than removing the ice driver module
- Restrict administrative access to devlink operations on production systems
- Implement access controls to limit which users can perform driver module operations
# Configuration example
# Check if ice driver is loaded and kernel version
lsmod | grep ice
uname -r
# Monitor for ice driver errors in kernel logs
dmesg | grep -i "ice_init_hw failed"
# Avoid devlink reload until patched - use system reboot instead
# If you must reload, do not attempt to remove the driver afterward
# devlink dev reload pci/0000:ca:00.0 # AVOID UNTIL PATCHED
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
