Description
In the Linux kernel, the following vulnerability has been resolved:

net: marvell: prestera: fix NULL dereference on devlink_alloc() failure

devlink_alloc() may return NULL on allocation failure, but
prestera_devlink_alloc() unconditionally calls devlink_priv() on
the returned pointer.

This leads to a NULL pointer dereference if devlink allocation fails.
Add a check for a NULL devlink pointer and return NULL early to avoid
the crash.
Published: 2026-01-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A NULL pointer dereference occurs in the Marvell Prestera network driver when devlink_alloc() fails during device initialization. The driver unconditionally calls devlink_priv() on the returned pointer, which is NULL upon allocation failure. This causes a kernel crash, resulting in a denial of service that may bring down the host or require a reboot. The weakness is classified as CWE-476, indicating a null pointer dereference vulnerability.

Affected Systems

Linux kernel implementations that include the Marvell Prestera driver. Affected releases include kernel versions up to at least 6.19 release candidates, as reflected in the common platform enumeration strings. All systems running kernel code with this driver are potentially impacted, regardless of the Debian, Ubuntu, or other distribution distribution, provided the device is present.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is local to the host; an attacker with ability to influence network traffic to a device on a system with the Prestera driver could trigger allocation failure. The crash can lead to a system reboot or kernel panic, causing service disruption.

Generated by OpenCVE AI on April 18, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the upstream kernel patch that adds a NULL check on devlink_alloc() and rebuild the kernel or install an updated kernel that includes the fix.
  • If an update is not feasible, disable or unload the Marvell Prestera driver to prevent triggering the crash.
  • Monitor system logs for NULL dereference or kernel panic messages and configure alerting to detect exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8096-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-5 Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN Ubuntu USN USN-8116-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Wed, 25 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:5.10:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 31 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash.
Title net: marvell: prestera: fix NULL dereference on devlink_alloc() failure
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:12.887Z

Reserved: 2026-01-13T15:37:45.940Z

Link: CVE-2026-23019

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-31T12:16:05.207

Modified: 2026-03-25T15:55:44.020

Link: CVE-2026-23019

cve-icon Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23019 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses