CVE-2026-23041 - Vulnerability Details

- bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup

Description

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup

When bnxt_init_one() fails during initialization (e.g.,
bnxt_init_int_mode returns -ENODEV), the error path calls
bnxt_free_hwrm_resources() which destroys the DMA pool and sets
bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,
which invokes ptp_clock_unregister().

Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to
disable events"), ptp_clock_unregister() now calls
ptp_disable_all_events(), which in turn invokes the driver's .enable()
callback (bnxt_ptp_enable()) to disable PTP events before completing the
unregistration.

bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()
and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This
function tries to allocate from bp->hwrm_dma_pool, causing a NULL
pointer dereference:

bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed
KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
Call Trace:
__hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)
bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)
ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)
ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)
bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)
bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)

Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3")

Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before
freeing HWRM resources.

Published: 2026-02-04

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

During the initialization of a Broadcom NetXtreme Ethernet device, an error path frees hardware resources and sets a DMA pool pointer to NULL. The subsequent de‑registration of the PTP clock triggers the driver's enable callback to clear PTP events, which then attempts to allocate from the freed DMA pool. The dereference of the now‑NULL pointer causes a kernel crash.

Affected Systems

Linux kernel drivers for Broadcom NetXtreme cards (bnxt_en), affecting systems running kernel versions prior to the fix committed in 6.19‑rc3. The vulnerability applies to any platform that loads this driver and encounters an initialization error.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog. A local or privileged attacker who can force the device to initialize (e.g., after attaching a new network interface) could trigger the crash. It is inferred that the attack vector requires kernel access, likely local privileged execution, and the impact is a denial of service via kernel panic. The low EPSS suggests rare exploitability under normal conditions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a60fc3294a377204664b5484e4a487fa124155da`	affected	< 0174d5466caefc22f03a36c43b2a3cce7e332627
`a60fc3294a377204664b5484e4a487fa124155da`	affected	< 3358995b1a7f9dcb52a56ec8251570d71024dad0

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.6`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream kernel patch that removes the error cleanup order, ensuring PTP is cleared before freeing HWRM resources, or upgrade to a kernel version that contains the fix.
If a patch is unavailable, disable the PTP functionality in the driver by setting the appropriate sysfs or module options so that ptp_clock_unregister is not called during error cleanup.
As a last resort, prevent the bnxt driver from loading on affected devices by blacklisting the module or removing the device from the system configuration.

Generated by OpenCVE AI on April 17, 2026 at 23:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627
https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0
https://lore.kernel.org/linux-cve-announce/2026020438-CVE-2026-23041-a426@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23041
https://www.cve.org/CVERecord?id=CVE-2026-23041

History

Sat, 18 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 05 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026020438-CVE-2026-23041-a426@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23041 https://www.cve.org/CVERecord?id=CVE-2026-23041
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 04 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 ("ptp: rework ptp_clock_unregister() to disable events"), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver's .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 ("Linux 6.19-rc3") Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources.
Title		bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627 https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-02-04T16:00:24.710Z

Updated: 2026-02-09T08:37:36.153Z

Reserved: 2026-01-13T15:37:45.944Z

Link: CVE-2026-23041

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-02-04T16:16:19.563

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23041

Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23041 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T00:00:09Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object