{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23353", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:38.167Z", "dateUpdated": "2026-03-25T10:27:38.167Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:38.167Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_ethtool.c", "drivers/net/ethernet/intel/ice/ice_lib.c"], "versions": [{"version": "93f53db9f9dc4a16b40ecd18e6d338ad57e4b670", "lessThan": "85c98b81849e4724ae99005a6cccd33cab9cfd18", "status": "affected", "versionType": "git"}, {"version": "93f53db9f9dc4a16b40ecd18e6d338ad57e4b670", "lessThan": "a9c354e656597aededa027d63d2ff0973f6b033f", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/intel/ice/ice_base.c", "drivers/net/ethernet/intel/ice/ice_ethtool.c", "drivers/net/ethernet/intel/ice/ice_lib.c"], "versions": [{"version": "6.19", "status": "affected"}, {"version": "0", "lessThan": "6.19", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18"}, {"url": "https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f"}], "title": "ice: fix crash in ethtool offline loopback test", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS: 00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n <TASK>\n ice_vsi_cfg_rxq+0xca/0x460 [ice]\n ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n ice_loopback_test+0xa9/0x520 [ice]\n ice_self_test+0x1b9/0x280 [ice]\n ethtool_self_test+0xe5/0x200\n __dev_ethtool+0x1106/0x1a90\n dev_ethtool+0xbe/0x1a0\n dev_ioctl+0x258/0x4c0\n sock_do_ioctl+0xe3/0x130\n __x64_sys_ioctl+0xb9/0x100\n do_syscall_64+0x7c/0x700\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create()."}], "id": "CVE-2026-23353", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:33.817", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: ice: fix crash in ethtool offline loopback test", "id": "2451164", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451164"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's `ice` network driver. When a local user performs an `ethtool` offline loopback test, the system can experience a kernel null pointer dereference. This occurs because the `libeth` library for the receive ring is not properly initialized. Successful exploitation of this vulnerability leads to a system crash, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23353", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23353\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23353\nhttps://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23353-d0c3@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:27:56.593113+00:00", "value": {"mitigation_remediation": ["Install the latest Linux kernel that includes the updated ice driver patch (e.g., the next point release following the 6.19.0 pre\u2011release).", "If a kernel upgrade is not immediately possible, restrict ethtool usage to trusted administrators and avoid running the offline loopback test on vulnerable devices.", "Monitor system logs for\u202fkernel oops messages referencing ice_alloc_rx_bufs and reboot promptly if a crash occurs."], "summary": {"action": "Apply Update", "impact": "Denial of Service (kernel crash)"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the ice driver prior to the patch are impacted. The advisory references a 6.19.0 pre\u2011release but the issue exists in earlier and later releases as long as the driver has not been updated. Distributions shipping a kernel with the uninitialized RX ring handling bug and exposing ethtool to administrators are therefore vulnerable. Exact version ranges are not listed; any kernel that contains the buggy ice driver before the fix is affected.", "description_and_impact": "The ice driver in the Linux kernel contains a bug that triggers a NULL pointer dereference when the ethtool offline loopback test runs. The fault occurs in ice_alloc_rx_bufs before the receive ring is initialized, causing a kernel oops that brings the system down. An unpatched kernel may crash at any time the test is executed, leading to a reboot and loss of availability for the affected network interface.", "risk_and_exploitability": "Exploitation requires running the ethtool offline loopback test, a capability normally reserved for users with root privileges or CAP_SYS_ADMIN. The likely attack vector is local privilege escalation or privileged code execution. No publicly disclosed exploits are known and the EPSS score is not available. The vulnerability is not in CISA\u2019s KEV catalog, indicating no widespread exploitation yet. The incident can cause a complete service outage on the affected host if the kernel crashes."}}}}, "created": "2026-03-25T21:32:02.187904+00:00", "updated": "2026-03-25T21:32:02.187934+00:00", "vendors": [], "weaknesses": ["CWE-476"]}