CVE-2026-23438 Overview
CVE-2026-23438 is a NULL pointer dereference vulnerability in the Linux kernel's Marvell PPv2 (mvpp2) network driver. The vulnerability exists in the mvpp2_bm_switch_buffers() function which unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes, without properly checking if the required CM3 SRAM resource is present.
When the CM3 SRAM resource is not defined in the device tree configuration, the priv->cm3_base pointer remains NULL while priv->global_tx_fc is set to false. Any operation that triggers mvpp2_bm_switch_buffers(), such as an MTU change that crosses the jumbo frame threshold, will result in a kernel crash due to dereferencing this NULL pointer through mvpp2_cm3_read() and mvpp2_cm3_write() functions.
Critical Impact
This vulnerability can cause a kernel panic and system crash on affected systems using Marvell PPv2 network hardware when certain network configuration changes are performed.
Affected Products
- Linux kernel with Marvell PPv2 (mvpp2) network driver enabled
- Systems using Marvell Armada SoCs with PPv2 network controllers
- Devices without CM3 SRAM resource defined in device tree configuration
Discovery Timeline
- April 3, 2026 - CVE-2026-23438 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23438
Vulnerability Analysis
The root cause of this vulnerability lies in the inconsistent handling of flow control hardware access guards within the mvpp2 driver. The mvpp2_bm_switch_buffers() function is the only location in the driver that omits the necessary check for priv->global_tx_fc before attempting to access flow control registers.
When a system operates without the CM3 SRAM memory region (which is added by commit 60523583b07c to the device tree), the priv->cm3_base pointer is never initialized and remains NULL. The driver correctly sets priv->global_tx_fc to false in this configuration, and most code paths properly check this flag before attempting hardware access.
However, the vulnerable mvpp2_bm_switch_buffers() function calls mvpp2_bm_pool_update_priv_fc() without this guard, which in turn calls mvpp2_bm_pool_update_fc() and eventually mvpp2_cm3_read(). This function attempts to perform a readl() operation on the NULL priv->cm3_base pointer, triggering a kernel NULL pointer dereference.
Root Cause
The vulnerability stems from a missing guard condition check in the mvpp2_bm_switch_buffers() function. While every other flow control call site in the driver guards hardware access with either priv->global_tx_fc or port->tx_fc flags, this particular function unconditionally calls the flow control update functions. The fix adds the missing priv->global_tx_fc guard to both the disable and re-enable calls in mvpp2_bm_switch_buffers(), maintaining consistency with the rest of the driver implementation.
Attack Vector
This vulnerability is triggered locally through network configuration changes. The most common trigger is an MTU change that crosses the jumbo frame threshold, which initiates the buffer switching operation. The attack vector requires local access to modify network interface parameters. Since this results in a denial of service (kernel crash) rather than code execution, the primary impact is system availability.
The crash call trace reveals the execution path:
- dev_set_mtu() or similar network configuration call
- mvpp2_change_mtu()
- mvpp2_bm_switch_buffers.isra.0()
- mvpp2_bm_pool_update_priv_fc()
- mvpp2_bm_pool_update_fc()
- mvpp2_cm3_read.isra.0()
- readl() - NULL pointer dereference occurs here
Detection Methods for CVE-2026-23438
Indicators of Compromise
- Kernel panic logs containing NULL pointer dereference at virtual address 0000000000000000
- Crash traces showing readl+0x0/0x18 in the program counter
- Call traces referencing mvpp2_cm3_read, mvpp2_bm_pool_update_fc, or mvpp2_bm_switch_buffers functions
- System crashes occurring during MTU changes on Marvell PPv2 network interfaces
Detection Strategies
- Monitor kernel logs for Data Abort (DABT) exceptions with ESR value 0x0000000096000006 and EC value 0x25
- Implement watchdog monitoring for unexpected system reboots following network configuration changes
- Review device tree configurations to identify systems without CM3 SRAM resource definitions
- Use kernel crash dump analysis tools to identify NULL pointer dereferences in the mvpp2 driver
Monitoring Recommendations
- Enable kernel crash dump collection (kdump) to capture diagnostic information when crashes occur
- Monitor network interface configuration events, particularly MTU changes on mvpp2 interfaces
- Implement system uptime monitoring to detect unexpected reboots on affected platforms
- Review kernel logs for warnings or errors related to the mvpp2 driver during system initialization
How to Mitigate CVE-2026-23438
Immediate Actions Required
- Apply the kernel patch from the official Linux kernel stable branches immediately
- Avoid changing MTU settings on affected network interfaces until patched
- Verify device tree configurations and consider adding CM3 SRAM resource definitions if hardware supports it
- Plan maintenance windows for kernel updates on production systems
Patch Information
The Linux kernel team has released patches across multiple stable branches to address this vulnerability. The fix adds the missing priv->global_tx_fc guard to both the disable and re-enable calls in mvpp2_bm_switch_buffers(), ensuring consistent behavior with the rest of the driver.
Available patches:
- Kernel Git Commit 7bd20f4
- Kernel Git Commit 7df2b50
- Kernel Git Commit 8a63baa
- Kernel Git Commit 8baced5
- Kernel Git Commit da089f7
- Kernel Git Commit ff0c54f
Workarounds
- Avoid MTU changes that cross the jumbo frame threshold on systems using mvpp2 driver without CM3 SRAM
- If hardware supports it, update device tree to include the CM3 SRAM memory resource definition
- Consider temporarily using alternative network interfaces until the kernel can be patched
- Implement change management controls to prevent inadvertent network configuration changes on affected systems
# Check if your system uses the mvpp2 driver
lsmod | grep mvpp2
# Verify current kernel version
uname -r
# Check device tree for CM3 SRAM resource (on affected platforms)
cat /sys/firmware/devicetree/base/*/ethernet@*/reg | hexdump -C
# Monitor for kernel crashes related to mvpp2
dmesg | grep -i "mvpp2\|null pointer"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
