Description
In the Linux kernel, the following vulnerability has been resolved:

net: 3com: 3c59x: fix possible null dereference in vortex_probe1()

pdev can be null and free_ring: can be called in 1297 with a null
pdev.
Published: 2026-01-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Kernel Panic (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

The Linux kernel’s 3com 3c59x network driver contains a null pointer dereference in the vortex_probe1() function. When the pdev argument is null, free_ring() is called and the kernel crashes. The immediate effect is a kernel panic, leading to a service interruption and requiring a reboot to recover. The flaw is identified as CWE‑476.

Affected Systems

The vulnerability applies to Linux kernel releases from 4.17 onward, including all 6.19 release candidates up to rc8. Systems that load the 3c59x driver module—typically those using 3com network adapters—are potentially impacted. Administrators should confirm that the 3c59x module is present and determine the exact kernel version in use.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity. The EPSS score is less than 1 %, suggesting a low historical probability of exploitation. The flaw is not listed in CISA’s KEV catalog, implying no confirmed active exploitation. Based on the description, it is inferred that an attacker would need local or privileged access to trigger driver initialization, as the fault occurs when the driver is loaded. Remote exploitation without elevated privileges is unlikely.

Generated by OpenCVE AI on April 18, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a release that includes the vortex_probe1 patch (e.g., 6.19.1 or later).
  • If an upgrade cannot be performed immediately, remove or prevent loading of the 3com 3c59x driver module to stop the vulnerable code from executing.
  • Restrict kernel module loading to privileged users only, monitor system logs for kernel panic events, and apply the patch as soon as it becomes available.

Generated by OpenCVE AI on April 18, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8096-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-3 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-4 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8096-5 Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Ubuntu USN Ubuntu USN USN-8116-1 Linux kernel (Intel IoTG Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8141-1 Linux kernel (Raspberry Pi) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-1 Linux kernel (Azure FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8163-2 Linux kernel (Azure) vulnerabilities
History

Wed, 25 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:4.17:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Sat, 31 Jan 2026 11:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev.
Title net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:37:13.897Z

Reserved: 2026-01-13T15:37:45.941Z

Link: CVE-2026-23020

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-01-31T12:16:05.310

Modified: 2026-03-25T15:56:02.047

Link: CVE-2026-23020

cve-icon Redhat

Severity :

Publid Date: 2026-01-31T00:00:00Z

Links: CVE-2026-23020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:30:02Z

Weaknesses