Description
In the Linux kernel, the following vulnerability has been resolved:

fbnic: close fw_log race between users and teardown

Fixes a theoretical race on fw_log between the teardown path and fw_log
write functions.

fw_log is written inside fbnic_fw_log_write() and can be reached from
the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before
IRQ/MBX teardown during cleanup, resulting in a potential data race of
dereferencing a freed/null variable.

Possible Interleaving Scenario:
CPU0: fbnic_fw_msix_intr() // Entry
fbnic_fw_log_write()
if (fbnic_fw_log_ready()) // true
... preempt ...
CPU1: fbnic_remove() // Entry
fbnic_fw_log_free()
vfree(log->data_start);
log->data_start = NULL;
CPU0: continues, walks log->entries or writes to log->data_start

The initialization also has an incorrect order problem, as the fw_log
is currently allocated after MBX setup during initialization.
Fix the problems by adjusting the synchronization order to put
initialization in place before the mailbox is enabled, and not cleared
until after the mailbox has been disabled.
Published: 2026-05-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the fbnic driver contains a race condition between the mailbox handler that writes to the firmware log and the teardown routine that frees this log. If the handler performs a write while the removal routine has already freed the log structure, the code may dereference a freed or NULL pointer, resulting in a failed assertion, kernel crash, or other instability. The flaw is a use‑after‑free data race, identified as CWE‑416. No other direct security impact is documented in the CVE description.

Affected Systems

Any system running a Linux kernel that includes the fbnic driver before the commit that patches the race is affected. The vendor information indicates that the vulnerability applies to all Linux distributions that ship the standard kernel. The specific affected kernel versions are not listed, so any kernel versions that have not yet incorporated the referenced patch are at risk.

Risk and Exploitability

The CVE does not provide an exploit and the EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require local kernel interaction with the fbnic driver, typically involving privileged or root access to trigger concurrent mailbox and removal events. Because the flaw can lead to a kernel panic or process crash, the risk is primarily a denial of service and potential instability rather than immediate privilege escalation. System administrators should treat it as a high‑priority issue for kernels that depend on fbnic.

Generated by OpenCVE AI on May 27, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements the fbnic fw_log racing condition fix by applying the Git commits referenced in the advisory.
  • Upgrade to a Linux kernel version that contains the commit correcting the fbnic driver race.
  • If the fbnic interface is not required, remove or disable the driver from the kernel configuration to eliminate the threat surface.

Generated by OpenCVE AI on May 27, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable. Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.
Title fbnic: close fw_log race between users and teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:35.858Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45977

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:14.800

Modified: 2026-05-27T14:48:03.013

Link: CVE-2026-45977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T19:00:16Z

Weaknesses