CVE-2026-43467 Overview
CVE-2026-43467 is a Linux kernel vulnerability in the Mellanox mlx5 network driver. The flaw causes a kernel crash when an administrator transitions the device to switchdev mode on hardware that does not support IPsec. The driver attempts to clean up IPsec resources unconditionally, dereferencing uninitialized structures and triggering a page fault in mlx5e_ipsec_disable_events. The fix adds a proper capability check before tearing down IPsec state.
Critical Impact
A local user with CAP_NET_ADMIN privileges can crash the kernel by issuing a devlink command to switch eswitch mode on affected mlx5 hardware, resulting in denial of service.
Affected Products
- Linux kernel containing the mlx5_core driver prior to the upstream fix
- Systems using Mellanox ConnectX adapters without IPsec offload capability
- Distributions shipping kernel 6.19.0-rc5 and related stable branches before backport
Discovery Timeline
- 2026-05-08 - CVE-2026-43467 published to the National Vulnerability Database
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-43467
Vulnerability Analysis
The vulnerability resides in the mlx5_core driver's eswitch mode transition logic. When userspace invokes devlink dev eswitch set ... mode switchdev, the driver calls mlx5e_vport_rep_load, which triggers mlx5e_netdev_change_profile and eventually mlx5e_nic_disable. During the disable path, mlx5e_ipsec_disable_events is invoked without verifying that the underlying device advertises IPsec offload support.
The kernel oops trace shows a page fault at _raw_spin_lock_irqsave+0x10/0x30 called from complete_all+0x20/0x90 inside mlx5e_ipsec_disable_events. CR2 holds 0x00000000000000a0, indicating dereference of a structure offset on a NULL or uninitialized ipsec pointer. The fault occurs in kernel mode but is reported through do_user_addr_fault, generating a warning and oops.
This is a [CWE-476] NULL pointer dereference triggered by missing capability validation. The remediation, applied across four stable branches via commits 05c9a6df3646, 24b2795f9683, 835778685f15, and bc72f739f398, introduces an explicit IPsec support check before invoking the cleanup routine.
Root Cause
The mlx5e_ipsec_disable_events cleanup helper assumes IPsec resources were initialized. On devices lacking IPsec capability, the corresponding ipsec member of the private state remains unallocated. Cleanup code dereferences this pointer to access a completion structure and acquire its wait.lock, faulting at offset 0xa0.
Attack Vector
Exploitation requires local privileges sufficient to call devlink netlink operations, typically CAP_NET_ADMIN. An attacker on a host with affected Mellanox hardware that lacks IPsec offload can trigger the crash by switching the eswitch mode to switchdev. The result is a kernel oops and likely panic, producing a denial-of-service condition on the host.
Detection Methods for CVE-2026-43467
Indicators of Compromise
- Kernel log entries containing WARNING: arch/x86/mm/fault.c followed by mlx5e_ipsec_disable_events in the call trace
- Unexpected devlink invocations with eswitch set mode switchdev from non-administrative user sessions
- Host reboots or kernel panics correlated with mlx5_core module activity on hardware without IPsec offload
Detection Strategies
- Monitor dmesg and journalctl -k for mlx5_core oops traces referencing mlx5e_nic_disable or mlx5e_ipsec_disable_events.
- Audit devlink command execution through auditd rules on /usr/sbin/devlink and the underlying genl netlink family.
- Inventory deployed Mellanox NIC firmware and capabilities using mlx5_core sysfs entries to identify hosts running affected hardware combinations.
Monitoring Recommendations
- Centralize kernel logs and alert on call traces containing mlx5e_ symbols paired with page fault warnings.
- Track privileged use of devlink and netlink DEVLINK_CMD_ESWITCH_SET operations across the fleet.
- Correlate sudden host unavailability with recent network configuration changes on systems using mlx5_core.
How to Mitigate CVE-2026-43467
Immediate Actions Required
- Apply the upstream Linux kernel patch corresponding to your stable branch as soon as the vendor releases an updated package.
- Restrict CAP_NET_ADMIN and access to the devlink utility to trusted administrators only.
- Avoid switching eswitch mode to switchdev on mlx5 adapters that do not support IPsec offload until patched kernels are deployed.
Patch Information
The fix is available in upstream Linux kernel commits 05c9a6df3646, 24b2795f9683, 835778685f15, and bc72f739f398. The patch adds an IPsec support check before cleanup of IPsec resources during eswitch mode transitions. Rebuild and reboot into the patched kernel to remediate.
Workarounds
- Keep the eswitch in legacy mode on hosts where IPsec offload is not supported by the hardware.
- Remove or block the mlx5_core module on systems that do not require Mellanox networking until kernel updates are applied.
- Limit interactive shell access on hosts with affected adapters to reduce the attack surface for local privileged users.
# Verify running kernel and mlx5_core status before applying mitigations
uname -r
lsmod | grep mlx5_core
devlink dev eswitch show pci/0000:00:00.0
# Keep legacy mode until patched
devlink dev eswitch set pci/0000:00:00.0 mode legacy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
