CVE-2026-23353 Overview
CVE-2026-23353 is a Null Pointer Dereference vulnerability in the Linux kernel's Intel ice network driver. The vulnerability was introduced during the conversion of the ice driver to page pool architecture, causing the ethtool offline loopback test to crash with a kernel NULL pointer dereference error.
The crash occurs in the ice_alloc_rx_bufs() function when attempting supervisor write access to an invalid memory address (0x000000000000000c). This happens because the libeth library was not properly initialized for the RX ring during loopback test operations.
Critical Impact
Local users with permission to run ethtool diagnostic commands can trigger a kernel panic, causing system instability and potential denial of service conditions.
Affected Products
- Linux kernel versions with ice driver using page pool architecture
- Systems with Intel network adapters utilizing the ice driver
- Linux kernel 6.19.0-0.rc7 and related versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23353 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23353
Vulnerability Analysis
This vulnerability is classified as a Null Pointer Dereference that occurs within the Intel ice network driver's receive buffer allocation path. The root cause stems from incomplete initialization of ICE_VSI_LB (loopback) Virtual Station Interface (VSI) structures after the driver was converted to use the page pool subsystem.
When the ethtool loopback test is invoked, the driver attempts to configure receive queues through ice_vsi_cfg_rxqs(), which calls ice_vsi_cfg_rxq(). This function subsequently invokes ice_rxq_pp_create() via libeth_rx_fq_create(), which expects a valid napi struct from a q_vector. However, loopback VSIs were not assigned a q_vector during initialization, resulting in NULL pointer access when attempting to allocate receive buffers.
The crash manifests with error code 0x0002 (not-present page) when the kernel attempts to write to memory address 0x000000000000000c, which corresponds to an offset within a NULL structure pointer.
Root Cause
The vulnerability originates from the ice driver's VSI initialization code failing to treat ICE_VSI_LB (loopback) VSIs similarly to normal PF (Physical Function) VSIs. When the driver was converted to use page pools via libeth, the loopback VSI path was not updated to include the necessary q_vector allocation.
Specifically, the issue is that loopback VSIs require a dummy q_vector containing a napi struct that can be passed to libeth_rx_fq_create(). While the loopback test does not actually use interrupts, the libeth framework expects this structure to be present for proper page pool initialization.
Attack Vector
The attack vector for this vulnerability is local. An attacker with sufficient privileges to execute ethtool diagnostic commands can trigger the kernel crash by running the offline loopback self-test:
The vulnerability is triggered through the following call chain:
- User executes ethtool self-test command
- Kernel processes __x64_sys_ioctl() → dev_ioctl() → dev_ethtool()
- ethtool_self_test() invokes ice_self_test()
- ice_loopback_test() attempts to configure RX queues
- ice_vsi_cfg_rxqs() → ice_vsi_cfg_rxq() → ice_rxq_pp_create()
- NULL pointer dereference occurs in ice_alloc_rx_bufs() at RIP 0x1cd
Detection Methods for CVE-2026-23353
Indicators of Compromise
- Kernel oops messages containing ice_alloc_rx_bufs in the call trace
- System logs showing NULL pointer dereference at address 0x000000000000000c
- Crash dumps with call traces involving ice_loopback_test, ice_vsi_cfg_rxq, and ice_vsi_cfg_rxqs
- Unexpected system reboots following ethtool diagnostic operations on Intel ice NICs
Detection Strategies
- Monitor kernel logs (dmesg, /var/log/kern.log) for BUG messages related to the ice driver module
- Implement audit rules to track execution of ethtool commands with self-test flags
- Configure kernel panic handlers to capture and analyze crash dumps for ice driver stack traces
- Deploy file integrity monitoring on ice driver module files to detect unauthorized modifications
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture detailed diagnostic information
- Configure real-time log monitoring for kernel oops and panic events mentioning [ice] module
- Implement alerting for repeated ethtool self-test command executions that may indicate exploitation attempts
- Monitor system stability metrics on servers with Intel network adapters using the ice driver
How to Mitigate CVE-2026-23353
Immediate Actions Required
- Apply the official kernel patches from the Linux stable tree immediately
- Restrict access to ethtool diagnostic commands to authorized administrators only
- Avoid running ethtool offline loopback tests until patches are applied
- Consider temporarily disabling self-test capabilities on affected systems in production environments
Patch Information
The Linux kernel team has released patches to address this vulnerability. The fix treats ICE_VSI_LB VSIs more like normal PF VSIs by allocating a dummy q_vector containing the required napi struct for libeth compatibility.
Official Patches:
System administrators should update to kernel versions containing these patches or backport the fixes to their current kernel versions.
Workarounds
- Restrict ethtool command access using Linux capabilities or sudo policies to limit which users can run diagnostic tests
- Disable or skip the loopback self-test by avoiding the -t offline flag with ethtool until patched
- Implement SELinux or AppArmor policies to prevent unauthorized ethtool diagnostic operations
- Consider using alternative network diagnostic methods that do not invoke the ice driver's loopback test functionality
# Configuration example
# Restrict ethtool access to root only
chmod 750 /usr/sbin/ethtool
# Add sudoers rule to restrict ethtool self-test (in /etc/sudoers.d/ethtool)
# Cmnd_Alias ETHTOOL_SAFE = /usr/sbin/ethtool -i *, /usr/sbin/ethtool -S *
# Cmnd_Alias ETHTOOL_DANGEROUS = /usr/sbin/ethtool -t *
# %netadmin ALL = ETHTOOL_SAFE, !ETHTOOL_DANGEROUS
# Check current kernel version for patch status
uname -r
# Verify ice driver version
modinfo ice | grep -E "^(version|filename)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
