CVE-2026-23438 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: mvpp2: guard flow control update with global_tx_fc in buffer switching

mvpp2_bm_switch_buffers() unconditionally calls
mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and
shared buffer pool modes. This function programs CM3 flow control
registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference
priv->cm3_base without any NULL check.

When the CM3 SRAM resource is not present in the device tree (the
third reg entry added by commit 60523583b07c ("dts: marvell: add CM3
SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains
NULL and priv->global_tx_fc is false. Any operation that triggers
mvpp2_bm_switch_buffers(), for example an MTU change that crosses
the jumbo frame threshold, will crash:

Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000000
Mem abort info:
ESR = 0x0000000096000006
EC = 0x25: DABT (current EL), IL = 32 bits
pc : readl+0x0/0x18
lr : mvpp2_cm3_read.isra.0+0x14/0x20
Call trace:
readl+0x0/0x18
mvpp2_bm_pool_update_fc+0x40/0x12c
mvpp2_bm_pool_update_priv_fc+0x94/0xd8
mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0
mvpp2_change_mtu+0x140/0x380
__dev_set_mtu+0x1c/0x38
dev_set_mtu_ext+0x78/0x118
dev_set_mtu+0x48/0xa8
dev_ifsioc+0x21c/0x43c
dev_ioctl+0x2d8/0x42c
sock_ioctl+0x314/0x378

Every other flow control call site in the driver already guards
hardware access with either priv->global_tx_fc or port->tx_fc.
mvpp2_bm_switch_buffers() is the only place that omits this check.

Add the missing priv->global_tx_fc guard to both the disable and
re-enable calls in mvpp2_bm_switch_buffers(), consistent with the
rest of the driver.

Published: 2026-04-03

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises in the Linux kernel’s MVPP2 network driver when the driver attempts to switch buffer pools during operations such as changing the MTU past the jumbo frame threshold. A missing null‐pointer check allows the code to dereference a NULL cm3_base pointer, causing a kernel panic. The impact is a system crash, leading to a denial of service and loss of all network services on the affected machine.

Affected Systems

Linux kernels that include the MVPP2 driver, particularly systems using Marvell Ethernet devices that rely on the MVPP2 packet processor. The issue exists in kernel versions prior to the inclusion of the fix that adds a guard for priv->global_tx_fc and the CM3 SRAM resource entry in the device tree.

Risk and Exploitability

The flaw is exploitable locally by an attacker with privileged control who can trigger an MTU change or any operation that forces the driver to switch buffer pools. No remote attack path is evident from the description. The severity is high due to the complete system crash, and while the EPSS score is unavailable and the vulnerability is not listed in KEV, the local nature of the attack combined with halted services suggests a critical risk if the system’s kernel is not updated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< da089f74a993f846685067b14158cb41b879ff29
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< ff0c54f088f7ab91dbbf47cf8244460f99122750
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< 7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< 7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< 8baced53a35fc9710f80d6ca016a2c418dc3231f
`3a616b92a9d17448d96a33bf58e69f01457fd43a`	affected	< 8a63baadf08453f66eb582fdb6dd234f72024723

Linux

affected

Version	Status	Constraints
`5.12`	affected	—
`0`	unaffected	< 5.12
`6.1.167`	unaffected	≤ 6.1.*
`6.6.130`	unaffected	≤ 6.6.*
`6.12.78`	unaffected	≤ 6.12.*
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,da089f74a993f846685067b14158cb41b879ff29)`	affected	code_commit	—
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,ff0c54f088f7ab91dbbf47cf8244460f99122750)`	affected	code_commit	—
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f)`	affected	code_commit	—
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9)`	affected	code_commit	—
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,8baced53a35fc9710f80d6ca016a2c418dc3231f)`	affected	code_commit	—
`[3a616b92a9d17448d96a33bf58e69f01457fd43a,8a63baadf08453f66eb582fdb6dd234f72024723)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`5.12`	affected	generic	—
`[0,5.12)`	unaffected	semver	—
`[6.1.167,6.2.0)`	unaffected	semver	—
`[6.6.130,6.7.0)`	unaffected	semver	—
`[6.12.78,6.13.0)`	unaffected	semver	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the MVPP2 driver patch that adds the CM3 SRAM device tree entry and the global_tx_fc guard.
If a kernel update is not immediately available, adjust the device tree for affected hardware to include the CM3 SRAM memory resource so that priv->cm3_base is set.
Avoid performing MTU changes that cross the jumbo frame threshold on affected systems until the kernel or device tree is updated.

Generated by OpenCVE AI on April 3, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f
https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9
https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723
https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f
https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29
https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750
https://lore.kernel.org/linux-cve-announce/2026040313-CVE-2026-23438-5faa@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23438
https://www.cve.org/CVERecord?id=CVE-2026-23438

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026040313-CVE-2026-23438-5faa@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23438 https://www.cve.org/CVERecord?id=CVE-2026-23438

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: guard flow control update with global_tx_fc in buffer switching mvpp2_bm_switch_buffers() unconditionally calls mvpp2_bm_pool_update_priv_fc() when switching between per-cpu and shared buffer pool modes. This function programs CM3 flow control registers via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference priv->cm3_base without any NULL check. When the CM3 SRAM resource is not present in the device tree (the third reg entry added by commit 60523583b07c ("dts: marvell: add CM3 SRAM memory to cp11x ethernet device tree")), priv->cm3_base remains NULL and priv->global_tx_fc is false. Any operation that triggers mvpp2_bm_switch_buffers(), for example an MTU change that crosses the jumbo frame threshold, will crash: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000006 EC = 0x25: DABT (current EL), IL = 32 bits pc : readl+0x0/0x18 lr : mvpp2_cm3_read.isra.0+0x14/0x20 Call trace: readl+0x0/0x18 mvpp2_bm_pool_update_fc+0x40/0x12c mvpp2_bm_pool_update_priv_fc+0x94/0xd8 mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0 mvpp2_change_mtu+0x140/0x380 __dev_set_mtu+0x1c/0x38 dev_set_mtu_ext+0x78/0x118 dev_set_mtu+0x48/0xa8 dev_ifsioc+0x21c/0x43c dev_ioctl+0x2d8/0x42c sock_ioctl+0x314/0x378 Every other flow control call site in the driver already guards hardware access with either priv->global_tx_fc or port->tx_fc. mvpp2_bm_switch_buffers() is the only place that omits this check. Add the missing priv->global_tx_fc guard to both the disable and re-enable calls in mvpp2_bm_switch_buffers(), consistent with the rest of the driver.
Title		net: mvpp2: guard flow control update with global_tx_fc in buffer switching
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9 https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723 https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29 https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:22.701Z

Updated: 2026-04-03T15:15:22.701Z

Reserved: 2026-01-13T15:37:46.017Z

Link: CVE-2026-23438

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:25.540

Modified: 2026-04-03T16:16:25.540

Link: CVE-2026-23438

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23438 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:13Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object