Description
In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RSS context delete logic

We need to free the corresponding RSS context VNIC
in FW everytime an RSS context is deleted in driver.
Commit 667ac333dbb7 added a check to delete the VNIC
in FW only when netif_running() is true to help delete
RSS contexts with interface down.

Having that condition will make the driver leak VNICs
in FW whenever close() happens with active RSS contexts.
On the subsequent open(), as part of RSS context restoration,
we will end up trying to create extra VNICs for which we
did not make any reservation. FW can fail this request,
thereby making us lose active RSS contexts.

Suppose an RSS context is deleted already and we try to
process a delete request again, then the HWRM functions
will check for validity of the request and they simply
return if the resource is already freed. So, even for
delete-when-down cases, netif_running() check is not
necessary.

Remove the netif_running() condition check when deleting
an RSS context.
Published: 2026-05-06
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A logic flaw in the bnxt_en driver deletes the firmware virtual network interface (VNIC) for an RSS context when the network device is closed while the interface is down. This causes VNIC resources to leak; when the interface is reopened the driver attempts to create additional VNICs that were not reserved, leading to failures in the firmware and loss of RSS functionality. The result is degraded network throughput and can cause a denial of service if the VNIC pool is exhausted.

Affected Systems

The flaw exists in Linux kernels that compile the bnxt_en driver before the inclusion of commit 667ac333dbb7. All Linux systems using that driver, regardless of distribution, are potentially affected.

Risk and Exploitability

The EPSS score of < 1% indicates a very low likelihood of exploitation, and the CVSS score of 7.8 reflects high severity. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access to trigger the deletion of an RSS context when the interface is down, so arbitrary remote exploitation is unlikely. The overall risk remains high, limited to loss of RSS support and associated performance loss rather than a high‑severity exploit.

Generated by OpenCVE AI on May 8, 2026 at 21:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that includes commit 667ac333dbb7. The patch removes the erroneous netif_running check when deleting an RSS context.
  • If a kernel upgrade is not immediately possible, cherry‑pick or apply the commit to the local kernel source, rebuild the bnxt_en module, and install the patched driver.
  • As a temporary measure, disable RSS offload on affected interfaces with a command such as ethtool -K <interface> rss off to avoid triggering the faulty deletion logic during interface closure.

Generated by OpenCVE AI on May 8, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-415
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.
Title bnxt_en: Fix RSS context delete logic
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:07.350Z

Reserved: 2026-05-01T14:12:55.997Z

Link: CVE-2026-43260

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:46.883

Modified: 2026-05-08T20:31:55.037

Link: CVE-2026-43260

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43260 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:45:19Z

Weaknesses