The LAN966X network driver contains a flaw where a page pool creation failure is not properly handled. The code uses the error pointer returned by page_pool_create without an IS_ERR check, and later dereferences it during XDP memory setup. This NULL pointer dereference (CWE-476) triggers a kernel oops and a system crash, resulting in denial of service.

All Linux kernel releases that include the LAN966X driver are vulnerable. According to the affected platform enumeration, versions 6.2 and all 7.0 release candidates (RC1 through RC7) are impacted until updated with the patch that introduces error handling after page_pool_create. The vulnerability applies to any system running a Linux kernel that includes the LAN966X driver.

The CVSS score of 5.5 reflects a moderate impact mainly in terms of availability. The EPSS score of <1% indicates a very low expected exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or privileged access capable of sending malicious network traffic or otherwise triggering the driver’s memory allocation routine. Because the flaw requires a failure of page_pool_create – an event that is typically associated with low memory conditions – it is not trivially exploitable, but it can be triggered in constrained environments or by carefully crafted packets. Overall, the risk is moderate but exploitation is unlikely under normal operating conditions.