Description
In the Linux kernel, the following vulnerability has been resolved:

ice: fix devlink reload call trace

Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced
internal temperature sensor reading via HWMON. ice_hwmon_init() was added
to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a
result if devlink reload is used to reinit the device and then the driver
is removed, a call trace can occur.

BUG: unable to handle page fault for address: ffffffffc0fd4b5d
Call Trace:
string+0x48/0xe0
vsnprintf+0x1f9/0x650
sprintf+0x62/0x80
name_show+0x1f/0x30
dev_attr_show+0x19/0x60

The call trace repeats approximately every 10 minutes when system
monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs
attributes that reference freed module memory.

The sequence is:
1. Driver load, ice_hwmon_init() gets called from ice_init_feature()
2. Devlink reload down, flow does not call ice_remove()
3. Devlink reload up, ice_hwmon_init() gets called from
ice_init_feature() resulting in a second instance
4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the
first hwmon instance orphaned with dangling pointer

Fix this by moving ice_hwmon_exit() from ice_remove() to
ice_deinit_features() to ensure proper cleanup symmetry with
ice_hwmon_init().
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (kernel crash)
Action: Patch Now
AI Analysis

Impact

The bug arises in the Linux kernel’s ice driver after a change that added an internal temperature sensor to the HWMON interface. When a devlink reload sequence occurs and the driver is later removed, the driver’s cleanup routine is left dangling. This leaves an orphaned hwmon instance that points at freed memory. Subsequent system‑monitoring attempts to read this sysfs entry trigger a page fault, causing a call trace and ultimately a kernel panic. The crash manifests roughly every ten minutes if monitoring tools keep polling the stale sysfs attributes, resulting in a denial‑of‑service condition for the host. The defect does not provide remote code execution or privilege escalation; however, the system crash can be triggered by actions that manipulate the network device (devlink reload) or unload the module, which typically requires elevated privileges. The core weakness is a use‑after‑free flaw caused by improper cleanup symmetry between initialization and removal of the hwmon interface, leading to dangling pointers. It is inferred that the attack vector requires elevated privileges to perform devlink reload or module unload.

Affected Systems

The issue affects Linux kernel builds that include the ice driver, specifically those that incorporate the commit adding hwmon support and prior to the fix that moves the cleanup routine to ice_deinit_features(). This includes kernel versions with the ice driver up to at least Linux 6.19 RC6, as well as any custom kernels that have not yet applied the patch.

Risk and Exploitability

The CVSS 5.5 score indicates a moderate severity. The EPSS score is below 1 %, suggesting a very low probability of exploitation in the wild. The vulnerability is not catalogued in the CISA KEV registry. It is inferred that the attack vector is local and requires privileged access to perform the devlink reload or unload operation. While the impact is limited to a denial‑of‑service condition, the kernel panic can cause significant downtime, especially on production systems that rely on persistent network connectivity.

Generated by OpenCVE AI on April 17, 2026 at 23:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a version that contains the commit which moves ice_hwmon_exit() to ice_deinit_features(), such as the latest stable release from the distribution.
  • If an immediate kernel upgrade is not possible, apply the patch that moves ice_hwmon_exit() to ice_deinit_features() from the kernel source, rebuild the kernel, and reload the ice driver.
  • Until the kernel is updated, avoid using devlink reload operations or unloading the ice driver while system‑monitoring tools are active; alternatively, configure monitoring utilities to skip the stale hwmon sysfs attributes.

Generated by OpenCVE AI on April 17, 2026 at 23:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 05 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b ("ice: read internal temperature sensor") introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init().
Title ice: fix devlink reload call trace
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-03-25T10:20:19.737Z

Reserved: 2026-01-13T15:37:45.966Z

Link: CVE-2026-23104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2026-02-04T17:16:21.270

Modified: 2026-03-25T11:16:18.577

Link: CVE-2026-23104

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23104 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:45:25Z

Weaknesses