CVE-2026-53324 Overview
CVE-2026-53324 affects the Microsoft Azure Network Adapter (MANA) driver in the Linux kernel. The flaw exists in how the driver names per-device debugfs directories. The previous implementation called pci_slot_name(pdev->slot) for Virtual Functions (VFs), which dereferences pdev->slot. That pointer can be NULL in environments such as generic VFIO passthrough or nested KVM, triggering a NULL pointer dereference [CWE-476].
A secondary defect caused directory naming collisions. Multiple Physical Functions (PFs) all used the hardcoded string "0", and VFs across different PCI domains or buses could share the same slot name. These collisions produced -EEXIST errors from debugfs_create_dir().
Critical Impact
The NULL pointer dereference can crash the kernel when the MANA driver initializes VFs in virtualization environments where pdev->slot is not populated.
Affected Products
- Linux kernel with the net/mana driver enabled
- Systems using Microsoft Azure Network Adapter (MANA) Physical Functions
- Systems using MANA Virtual Functions under VFIO passthrough or nested KVM
Discovery Timeline
- 2026-06-26 - CVE-2026-53324 published to NVD
- 2026-06-30 - Last updated in NVD database
Technical Details for CVE-2026-53324
Vulnerability Analysis
The MANA Ethernet driver creates a debugfs directory for each PCI device it manages. Debugfs requires unique directory names within its hierarchy. The prior implementation constructed those names using two different strategies depending on whether the device was a PF or a VF.
For PFs, the code hardcoded the directory name to "0". When a system exposed more than one MANA PF, the second registration attempt returned -EEXIST from debugfs_create_dir(). For VFs, the code called pci_slot_name(pdev->slot). That helper dereferences the slot field of the pci_dev structure without a NULL check.
In generic VFIO passthrough and nested KVM configurations, the PCI core does not always populate pdev->slot. Dereferencing the NULL pointer triggers an oops in kernel context, causing a denial of service for the calling process and potentially the host.
Root Cause
The root cause is an unsafe assumption that pdev->slot is always valid combined with a non-unique naming scheme for PFs. The driver did not use the PCI Bus:Device.Function (BDF) address, which is guaranteed to be present and unique.
Attack Vector
Triggering the flaw requires MANA hardware or emulation exposed to a Linux guest through VFIO or nested virtualization. An attacker with the ability to attach or hot-plug a MANA VF into a guest without a populated pdev->slot can crash the guest kernel. The issue is not reachable from unprivileged remote network input.
The patch replaces both code paths with pci_name(pdev), which returns the unique BDF address. See Kernel Git Commit 34dbd7b819, Kernel Git Commit 9211eb97e8f, and Kernel Git Commit c116f07ab9d for the upstream fixes.
Detection Methods for CVE-2026-53324
Indicators of Compromise
- Kernel oops messages referencing pci_slot_name in the MANA driver call path
- debugfs_create_dir() returning -EEXIST when loading mana on hosts with multiple PFs
- Unexpected guest kernel panics immediately after attaching a MANA VF via VFIO
Detection Strategies
- Inventory Linux kernel versions on Azure and on-premises hosts that load the mana module and compare against patched stable releases
- Parse dmesg and journalctl -k output for NULL pointer dereference traces involving mana_gd_probe or mana_debugfs_init
- Monitor /sys/kernel/debug/mana/ for missing or collided device directories after driver load
Monitoring Recommendations
- Alert on repeated MANA driver load failures across the fleet, which may indicate the -EEXIST collision path
- Track guest crash frequency on hypervisors that pass MANA VFs to nested workloads
- Aggregate kernel panic telemetry with the affected module name to identify systemic exposure
How to Mitigate CVE-2026-53324
Immediate Actions Required
- Update to a Linux kernel release that includes commits 34dbd7b819, 9211eb97e8f, or c116f07ab9d from the stable tree
- Prioritize patching hosts that pass MANA VFs through VFIO or into nested KVM guests
- Restrict the ability to hot-plug or attach MANA VFs to trusted administrators until patching completes
Patch Information
The fix replaces the hardcoded "0" and the pci_slot_name(pdev->slot) call with pci_name(pdev) for both PFs and VFs. pci_name() returns the BDF identifier, which is always populated and unique across the system. Apply the upstream patches from the stable kernel git repository linked in the references, or install a distribution kernel that has backported the fix.
Workarounds
- Avoid loading the mana driver on hosts where MANA hardware is not required
- Do not attach MANA VFs into guests that do not receive a populated pdev->slot from the hypervisor
- Unmount debugfs (umount /sys/kernel/debug) on production hosts where it is not needed, reducing exposure to the directory creation path
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

