CVE-2026-43260 Overview
CVE-2026-43260 is a Linux kernel vulnerability in the bnxt_en driver, which supports Broadcom NetXtreme-C/E network adapters. The flaw resides in the Receive Side Scaling (RSS) context deletion logic. A previous commit (667ac333dbb7) added a netif_running() check that prevented freeing the corresponding RSS context Virtual NIC (VNIC) in firmware when the interface was down. This conditional behavior causes the driver to leak VNICs in firmware whenever close() occurs while RSS contexts are still active. The upstream fix removes the netif_running() check so VNICs are always released in firmware on RSS context deletion.
Critical Impact
Active RSS contexts can be lost after interface close/open cycles, leading to firmware resource leaks and failed VNIC creation requests on subsequent open() calls.
Affected Products
- Linux kernel bnxt_en driver for Broadcom NetXtreme-C/E network adapters
- Kernel branches that included commit 667ac333dbb7 introducing the netif_running() guard
- Systems running Broadcom 5741x/5750x/5760x series NICs using the in-tree driver
Discovery Timeline
- 2026-05-06 - CVE-2026-43260 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43260
Vulnerability Analysis
The bnxt_en driver manages RSS contexts that map to firmware-resident VNIC resources on Broadcom NetXtreme adapters. RSS contexts allow the NIC to distribute incoming traffic across multiple receive queues. When userspace deletes an RSS context, the driver must release the associated VNIC reservation in firmware via Hardware Resource Manager (HWRM) commands. The defective logic gated this firmware release on the netif_running() state, skipping the firmware notification when the interface was administratively down.
The consequence is a firmware-side resource leak. After close() with active RSS contexts, the driver state shows the contexts as deleted while firmware still holds the VNIC reservations. On the next open(), the driver attempts to restore RSS contexts and request additional VNIC reservations beyond what was actually freed. Firmware can reject these requests, causing the loss of legitimate active RSS contexts.
Root Cause
The root cause is an over-restrictive precondition added in commit 667ac333dbb7. The HWRM functions already validate delete requests and return cleanly when a resource is already freed. The netif_running() check was therefore unnecessary and introduced an inconsistency between driver and firmware bookkeeping for VNIC reservations.
Attack Vector
This is a kernel reliability and resource-management defect rather than a remotely exploitable memory corruption issue. The condition is triggered through standard administrative actions: configuring RSS contexts, bringing the interface down, then back up. There is no public indication of an exploitable security primitive. Exposure is local and depends on having privileges to manage networking state. See the upstream commit references for the resolved logic.
Detection Methods for CVE-2026-43260
Indicators of Compromise
- Kernel log entries from bnxt_en reporting HWRM failures or VNIC allocation errors after ifdown/ifup sequences on systems with configured RSS contexts.
- Loss of previously configured RSS contexts after an interface restart, observable via ethtool -x showing fewer indirection tables than configured.
- HWRM command return codes indicating resource exhaustion when restoring RSS state on open().
Detection Strategies
- Audit running kernel versions across the fleet and identify hosts using bnxt_en with kernel builds that include commit 667ac333dbb7 but not the fix commits 079986d6db1f, 348a5f8d06c7, 9a9b89eea4a9, or e123d9302d22.
- Monitor dmesg and journalctl -k for bnxt_en HWRM error patterns, especially after network interface state transitions.
- Track changes in ethtool -x <iface> and ethtool -X <iface> context N output around interface up/down events to spot context loss.
Monitoring Recommendations
- Centralize kernel logs from Broadcom NIC hosts into your logging or SIEM platform and alert on bnxt_en HWRM failure strings.
- Add health checks that validate expected RSS context counts after planned and unplanned interface restarts.
- Include kernel and driver version inventory in vulnerability management scans to confirm patch deployment.
How to Mitigate CVE-2026-43260
Immediate Actions Required
- Identify hosts running affected bnxt_en driver versions on Broadcom NetXtreme adapters and prioritize kernel updates on systems that rely on RSS contexts.
- Apply the stable kernel update containing the fix commits referenced in the Linux stable tree.
- Until patched, avoid bringing interfaces down on hosts with active RSS contexts unless the operation is required.
Patch Information
The fix removes the netif_running() condition from the RSS context delete path so the driver always frees the corresponding VNIC in firmware. Reference commits across stable branches: 079986d6db1f, 348a5f8d06c7, 9a9b89eea4a9, and e123d9302d22. Distribution-provided kernel updates that backport these commits resolve the issue.
Workarounds
- Recreate RSS contexts manually via ethtool -X after each interface restart on unpatched systems where downtime is required.
- Schedule interface state changes during maintenance windows and validate RSS context state afterward.
- Reload the bnxt_en module to fully reset firmware VNIC state if context loss is observed before patching is feasible.
# Verify kernel version and inspect RSS contexts on a Broadcom NIC
uname -r
ethtool -i eth0 | grep -E 'driver|version'
ethtool -x eth0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
