CVE-2026-23210: Linux Kernel Race Condition Vulnerability

CVE-2026-23210 Overview

CVE-2026-23210 is a NULL pointer dereference vulnerability in the Linux kernel's Intel Ethernet ice driver. The flaw resides in the Precision Time Protocol (PTP) subsystem, where a race condition between ice_ptp_rebuild() and Virtual Station Interface (VSI) reconstruction allows the PTP periodic worker to access an uninitialized vsi->rx_rings pointer. Triggering the race results in a kernel oops and denial of service on systems using affected Intel Ethernet adapters. The issue affects Linux kernel 6.19 release candidates (rc1 through rc8) and was resolved by reordering the work-queue logic so PTP work is only requeued after the VSI rebuild completes.

Critical Impact
A local low-privileged trigger of a driver reset on systems running the ice driver can crash the kernel via a NULL pointer dereference in ice_ptp_update_cached_phctime(), causing host-wide denial of service.

Affected Products

Linux Kernel 6.19-rc1 through 6.19-rc8
Systems using the Intel Ethernet ice driver with PTP enabled
Distributions shipping pre-release 6.19 kernels

Discovery Timeline

2026-02-14 - CVE-2026-23210 published to NVD
2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-23210

Vulnerability Analysis

The vulnerability is a NULL pointer dereference [CWE-476] in the ice driver's PTP code path during a VSI rebuild operation. The Intel ice driver supports hardware timestamping through PTP. During a controller reset, the driver tears down and reconstructs the VSI and its associated receive ring structures. The ice_ptp_update_cached_phctime() function iterates over vsi->rx_rings to refresh cached PHC time values on each ring. If this function executes before the rings have been reallocated, it dereferences a NULL pointer and crashes the kernel.

The call trace shows ice_ptp_periodic_work() invoking ice_ptp_update_cached_phctime+0xbf/0x150 from the dedicated ice-ptp-0000:60 kthread, faulting at address 0x0 in supervisor read mode.

Root Cause

The defect is an ordering and synchronization error in the reset sequence. ice_ptp_prepare_for_reset() correctly cancels in-flight PTP work, but ice_ptp_rebuild() immediately requeues the PTP periodic worker before the surrounding ice_rebuild() routine recreates the VSI and its rx_rings array. The PTP kthread runs on another CPU and races against the rebuild path. The fix introduces an ice_ptp_queue_work() helper that only schedules the worker when PTP is supported and the driver state is ICE_PTP_READY, and defers queuing until after VSI reconstruction completes.

Attack Vector

Exploitation requires local access and the ability to trigger an ice driver reset, such as toggling interface state, applying configuration changes, or inducing a hardware reset event. The race window is narrow and depends on scheduler timing, which is reflected in the high attack complexity. Successful triggering produces a kernel oops affecting availability only — no memory corruption, code execution, or information disclosure is possible through this code path.

The vulnerability is described in prose because no exploit code is required; the crash occurs whenever the PTP worker observes the unset vsi->rx_rings pointer during the rebuild window. See the Kernel Git Commit 7565d4d and Kernel Git Commit fc6f36ea for the upstream resolution.

Detection Methods for CVE-2026-23210

Indicators of Compromise

Kernel log entries containing BUG: kernel NULL pointer dereference with RIP: ice_ptp_update_cached_phctime in the faulting instruction pointer.
Call traces referencing ice_ptp_periodic_work originating from a ice-ptp-<bdf> kthread.
Preceding ice 0000:XX:XX.X: PTP reset successful messages immediately before the oops.

Detection Strategies

Monitor dmesg and /var/log/kern.log for the signature trio of PTP reset, NULL dereference, and ice module frames.
Verify running kernel version with uname -r and flag any host running 6.19-rc1 through 6.19-rc8 with the ice driver loaded.
Correlate unexplained host reboots or NIC resets on systems with Intel E810-series adapters where PTP is enabled.

Monitoring Recommendations

Ingest kernel logs into a centralized logging or SIEM pipeline and alert on ice_ptp_ symbols in oops traces.
Track ice module load events and driver reset counters via ethtool -S <iface> for repeated reset patterns.
Audit the fleet for pre-release kernels using configuration management inventory and prioritize them for patching.

How to Mitigate CVE-2026-23210

Immediate Actions Required

Upgrade to a stable Linux kernel release that includes the upstream fix commits 7565d4df66b6 and fc6f36eaaedc.
Avoid running 6.19 release-candidate kernels on production hosts that use the ice driver with PTP enabled.
Restrict local user ability to trigger NIC resets by tightening CAP_NET_ADMIN assignments and sudoers entries.

Patch Information

The fix is upstream in the Linux kernel and is referenced in the following commits: Kernel Git Commit 7565d4d, Kernel Git Commit ba0c7fff, and Kernel Git Commit fc6f36ea. The patch introduces ice_ptp_queue_work() and moves PTP work requeue logic to after VSI rebuild in ice_rebuild().

Workarounds

Disable PTP on the affected interface using ethtool hardware timestamping controls if timing services are not required.
Unload the ice module and use an alternative supported NIC where feasible until a patched kernel is deployed.
Pin production systems to a stable 6.18.x or earlier supported long-term kernel release.

bash

# Verify kernel version and ice driver state
uname -r
modinfo ice | grep -E '^(version|filename)'

# Disable hardware timestamping on the affected interface
sudo ethtool -T eth0
sudo hwstamp_ctl -i eth0 -r 0 -t 0