CVE-2026-43013 Overview
CVE-2026-43013 is a Linux kernel vulnerability in the Mellanox mlx5 driver Link Aggregation (LAG) subsystem. The flaw resides in __mlx5_lag_dev_add_mdev(), which can return success (0) even when an internal error has been gracefully handled and no valid LAG context exists. The initialization path then calls mlx5_ldev_add_debugfs(), which creates debugfs directories and attributes without verifying that the LAG device pointer is valid. Reading exposed entries such as the members file can trigger a NULL pointer dereference in kernel space.
Critical Impact
A local user with access to the exposed debugfs interface can trigger a kernel NULL pointer dereference, leading to a denial of service on systems using Mellanox mlx5 network adapters with LAG.
Affected Products
- Linux kernel versions containing the affected net/mlx5 LAG debugfs initialization code
- Systems using Mellanox ConnectX adapters with the mlx5_core driver
- Distributions shipping unpatched stable kernel branches referenced in the upstream commits
Discovery Timeline
- 2026-05-01 - CVE-2026-43013 published to NVD
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43013
Vulnerability Analysis
The vulnerability lives in the Mellanox mlx5 driver's LAG (Link Aggregation) initialization logic. Specifically, __mlx5_lag_dev_add_mdev() can return 0, indicating success, even after encountering a recoverable error. This breaks the contract callers rely on to determine whether a valid LAG device structure exists.
When the caller proceeds under the assumption that LAG was set up correctly, it invokes mlx5_ldev_add_debugfs(). That function unconditionally creates the debugfs directory and registers attribute files. One such attribute, members, references the LAG device pointer (ldev) at access time.
If user space later reads members while ldev is NULL, the kernel dereferences a null pointer. The result is a kernel oops and process or system instability. The fix verifies mlx5_lag_dev(dev) returns a valid pointer before creating the debugfs entries.
Root Cause
The root cause is a missing validation step combined with an inconsistent return value from __mlx5_lag_dev_add_mdev(). The function masks gracefully handled error paths by returning success, and the debugfs creation routine does not independently confirm that a backing LAG context exists. This is a NULL pointer dereference rooted in improper input validation between cooperating kernel functions.
Attack Vector
Exploitation requires local access on a host running an affected mlx5_core driver where the vulnerable initialization path has executed. An attacker reads the exposed debugfs members attribute to trigger dereference of the uninitialized ldev pointer. The condition manifests as a denial of service. The vulnerability does not provide a documented path to code execution or privilege escalation.
No public proof-of-concept code is available. The fix is described in the upstream patches referenced in the Linux Kernel Commit Report.
Detection Methods for CVE-2026-43013
Indicators of Compromise
- Kernel oops or panic messages referencing mlx5_ldev_add_debugfs, mlx5_lag, or NULL pointer dereferences in mlx5_core
- Unexpected reads of files under /sys/kernel/debug/mlx5/*/lag/members from non-administrative user contexts
- Loss of network connectivity on hosts using Mellanox ConnectX adapters following debugfs access
Detection Strategies
- Monitor dmesg and /var/log/kern.log for BUG: kernel NULL pointer dereference traces tied to mlx5_core symbols
- Audit kernel package versions across the fleet and flag hosts running kernels predating the upstream fix commits
- Track process access to /sys/kernel/debug/mlx5/ paths via auditd file watches
Monitoring Recommendations
- Enable auditd rules on /sys/kernel/debug/mlx5/ to record read operations and the invoking UID
- Forward kernel logs to a centralized logging or SIEM platform and alert on mlx5 oops signatures
- Inventory hosts with Mellanox NICs and correlate kernel build identifiers against the patched commit set
How to Mitigate CVE-2026-43013
Immediate Actions Required
- Apply the upstream Linux kernel patches that add a mlx5_lag_dev(dev) validity check before debugfs creation
- Update to a distribution kernel that incorporates the fix referenced in the kernel.org stable commits
- Restrict debugfs access by ensuring /sys/kernel/debug is mounted with mode=700 and owned by root
Patch Information
The vulnerability is resolved across multiple stable branches. Refer to the upstream commits: 7129632cab3e, 89c65f2fcd88, a3db46d5f4df, bf16bca66536, c53cf44588a9, and cfa774e6c920. Rebuild affected kernels or install vendor-supplied kernel updates that include these commits.
Workarounds
- Unmount or restrict access to debugfs on production systems where it is not required for operations
- Limit local logon and shell access on hosts with Mellanox mlx5 adapters to trusted administrators only
- Where LAG is not required, avoid configuring LAG on mlx5 interfaces to reduce exposure to the affected code path
# Restrict debugfs to root only (workaround until patched kernel is deployed)
mount -o remount,mode=700 /sys/kernel/debug
# Verify running kernel version against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
