Description
In the Linux kernel, the following vulnerability has been resolved:

net: ethernet: xscale: Check for PTP support properly

In ixp4xx_get_ts_info() ixp46x_ptp_find() is called
unconditionally despite this feature only existing on
ixp46x, leading to the following splat from tcpdump:

root@OpenWrt:~# tcpdump -vv -X -i eth0
(...)
Unable to handle kernel NULL pointer dereference at virtual address
00000238 when read
(...)
Call trace:
ptp_clock_index from ixp46x_ptp_find+0x1c/0x38
ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64
ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108
__ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648
__dev_ethtool from dev_ethtool+0x160/0x234
dev_ethtool from dev_ioctl+0x2cc/0x460
dev_ioctl from sock_ioctl+0x1ec/0x524
sock_ioctl from sys_ioctl+0x51c/0xa94
sys_ioctl from ret_fast_syscall+0x0/0x44
(...)
Segmentation fault

Check for ixp46x in ixp46x_ptp_find() before trying to set up
PTP to avoid this.

To avoid altering the returned error code from ixp4xx_hwtstamp_set()
which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP
from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter
the error code. The helper function ixp46x_ptp_find() helper
returns -ENODEV.
Published: 2026-05-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, a call to ixp4xx_get_ts_info() executed ixp46x_ptp_find() unconditionally, dereferencing a NULL pointer on systems that do not support IXP46x PTP. The resulting kernel panic manifests as a segmentation fault when an ethtool command is run, causing a denial of service. This flaw stems from improper validation of the device type and is represented by CWE‑476.

Affected Systems

The vulnerability impacts all Linux kernel releases that contain the ixp4xx Ethernet driver and have not been patched to include the defensive check for IXP46x support. Systems running XScale IXP processors and any distribution‑supplied kernel that exposes the ethtool timestamp interface are vulnerable. The advisory does not list exact version ranges; applying a kernel that incorporates commit 144dde3146985b25fa84d4e4b7c3d11e0f5fc5a4 or later resolves the issue.

Risk and Exploitability

The CVSS score is not publicly disclosed and the EPSS score is unavailable, but the flaw can trigger a kernel crash, leading to a local denial of service. Exploitation requires the ability to issue ethtool commands or otherwise invoke the timestamp query, so the attack vector is likely local or remote through the network interface. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported. Updating the kernel remains the most effective mitigation.

Generated by OpenCVE AI on May 6, 2026 at 14:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Linux kernel that includes the patch fixing the ixp4xx_get_ts_info NULL dereference.
  • If a kernel upgrade is not feasible, disable PTP support in the ixp4xx driver by altering the kernel configuration or removing the module from use.
  • As a temporary measure, avoid running ethtool commands that query timestamps (e.g., "ethtool -T eth0") on affected devices until the kernel is updated.

Generated by OpenCVE AI on May 6, 2026 at 14:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: ethernet: xscale: Check for PTP support properly In ixp4xx_get_ts_info() ixp46x_ptp_find() is called unconditionally despite this feature only existing on ixp46x, leading to the following splat from tcpdump: root@OpenWrt:~# tcpdump -vv -X -i eth0 (...) Unable to handle kernel NULL pointer dereference at virtual address 00000238 when read (...) Call trace: ptp_clock_index from ixp46x_ptp_find+0x1c/0x38 ixp46x_ptp_find from ixp4xx_get_ts_info+0x4c/0x64 ixp4xx_get_ts_info from __ethtool_get_ts_info+0x90/0x108 __ethtool_get_ts_info from __dev_ethtool+0xa00/0x2648 __dev_ethtool from dev_ethtool+0x160/0x234 dev_ethtool from dev_ioctl+0x2cc/0x460 dev_ioctl from sock_ioctl+0x1ec/0x524 sock_ioctl from sys_ioctl+0x51c/0xa94 sys_ioctl from ret_fast_syscall+0x0/0x44 (...) Segmentation fault Check for ixp46x in ixp46x_ptp_find() before trying to set up PTP to avoid this. To avoid altering the returned error code from ixp4xx_hwtstamp_set() which before this patch was -EOPNOTSUPP, we return -EOPNOTSUPP from ixp4xx_hwtstamp_set() if ixp46x_ptp_find() fails no matter the error code. The helper function ixp46x_ptp_find() helper returns -ENODEV.
Title net: ethernet: xscale: Check for PTP support properly
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-06T11:27:48.097Z

Reserved: 2026-05-01T14:12:55.991Z

Link: CVE-2026-43173

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:35.707

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T14:15:05Z

Weaknesses