Description
In the Linux kernel, the following vulnerability has been resolved:

fbnic: close fw_log race between users and teardown

Fixes a theoretical race on fw_log between the teardown path and fw_log
write functions.

fw_log is written inside fbnic_fw_log_write() and can be reached from
the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before
IRQ/MBX teardown during cleanup, resulting in a potential data race of
dereferencing a freed/null variable.

Possible Interleaving Scenario:
CPU0: fbnic_fw_msix_intr() // Entry
fbnic_fw_log_write()
if (fbnic_fw_log_ready()) // true
... preempt ...
CPU1: fbnic_remove() // Entry
fbnic_fw_log_free()
vfree(log->data_start);
log->data_start = NULL;
CPU0: continues, walks log->entries or writes to log->data_start

The initialization also has an incorrect order problem, as the fw_log
is currently allocated after MBX setup during initialization.
Fix the problems by adjusting the synchronization order to put
initialization in place before the mailbox is enabled, and not cleared
until after the mailbox has been disabled.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel’s fbnic driver has a race condition between its mailbox handler and the teardown routine that can result in a use‑after‑free race. When a firmware log write occurs while the driver is being removed, the fw_log structure may be freed or set to NULL, and the handler may later dereference it. This could cause a kernel panic or process crash, leading to denial of service or instability. The flaw is identified as CWE‑364.

Affected Systems

Any Linux system running a kernel that includes the fbnic driver without the referenced commit is vulnerable. The vulnerability applies to the default kernel in all distributions that ship the standard Linux kernel, as the affected vendor list indicates Linux:Linux. No specific kernel versions are documented, so any kernel revision that has not yet incorporated the patch is at risk.

Risk and Exploitability

The CVSS score of 5.5 places the vulnerability in the moderate category. The EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require local kernel interaction with the fbnic driver, likely involving privileged or root access to trigger concurrent mailbox activity and removal. Because the flaw can lead to a kernel crash, the risk is primarily denial of service rather than privilege escalation, but it should be treated as a high‑priority patching issue for affected systems.

Generated by OpenCVE AI on June 18, 2026 at 04:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that implements the fbnic fw_log race condition fix by applying the Git commits referenced in the advisory.
  • Upgrade to a Linux kernel version that contains the commit correcting the fbnic driver race.
  • If the fbnic interface is not required, remove or disable the driver from the kernel configuration to eliminate the threat surface.

Generated by OpenCVE AI on June 18, 2026 at 04:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}


Thu, 28 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 28 May 2026 00:15:00 +0000


Wed, 27 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fbnic: close fw_log race between users and teardown Fixes a theoretical race on fw_log between the teardown path and fw_log write functions. fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable. Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.
Title fbnic: close fw_log race between users and teardown
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:18:35.858Z

Reserved: 2026-05-13T15:03:33.090Z

Link: CVE-2026-45977

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-27T14:17:14.800

Modified: 2026-06-17T10:52:50.050

Link: CVE-2026-45977

cve-icon Redhat

Severity :

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T04:15:15Z

Weaknesses