CVE-2026-46188 - Vulnerability Details

- octeon_ep_vf: add NULL check for napi_build_skb()

Description

In the Linux kernel, the following vulnerability has been resolved:

octeon_ep_vf: add NULL check for napi_build_skb()

napi_build_skb() can return NULL on allocation failure. In
__octep_vf_oq_process_rx(), the result is used directly without a NULL
check in both the single-buffer and multi-fragment paths, leading to a
NULL pointer dereference.

Add NULL checks after both napi_build_skb() calls, properly advancing
descriptors and consuming remaining fragments on failure.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The octeon_ep_vf receive function fails to check the return value of napi_build_skb(); when the network stack passes a packet to the driver, the helper can return NULL on an allocation failure. The driver then dereferences this pointer without validation, causing a kernel null pointer dereference that crashes the system. This flaw directly compromises kernel stability.

Affected Systems

The vulnerability resides in the octeon_ep_vf driver that ships with the mainline Linux kernel. Any distribution that includes this driver for Octeon EP virtual functions is affected. Vulnerable kernel builds are those that do not include the patch referenced in the commit logs; specific version numbers are not listed but all pre‑patch releases carry the flaw.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity for a NULL pointer dereference that could lead to a kernel crash. With an EPSS score of less than 1% and no listing in CISA KEV, the exploitation likelihood is low, but the impact remains that, based on the description, it is inferred that a remote attacker could trigger a kernel panic by sending crafted packets to the octeon_ep_vf NIC without privileged access. Therefore, the overall risk is moderate, especially for systems exposing these virtual functions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1`	affected	< 60246cdd4c515ea7d920cddf48932efcb990773e
`1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1`	affected	< b0f4711b426a06fb4c4be85c36b9f5588d5140d3
`1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1`	affected	< 6fef6640bbf360e254cc0174365ed30ce3a07572
`1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1`	affected	< dd66b42854705e4e4ee7f14d260f86c578bed3e3

Linux

affected

Version	Status	Constraints
`6.9`	affected	—
`0`	unaffected	< 6.9
`6.12.88`	unaffected	≤ 6.12.*
`6.18.30`	unaffected	≤ 6.18.*
`7.0.7`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1,60246cdd4c515ea7d920cddf48932efcb990773e)`	affected	code_commit	—
`[1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1,b0f4711b426a06fb4c4be85c36b9f5588d5140d3)`	affected	code_commit	—
`[1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1,6fef6640bbf360e254cc0174365ed30ce3a07572)`	affected	code_commit	—
`[1cd3b407977c3ab1d2ddc26cb7113e7fb1509cd1,dd66b42854705e4e4ee7f14d260f86c578bed3e3)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.9`	affected	generic	—
`[0,6.9)`	unaffected	generic	—
`[6.12.88,6.13.0)`	unaffected	semver	—
`[6.18.30,6.19.0)`	unaffected	semver	—
`[7.0.7,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the commit adding NULL checks to napi_build_skb() in octeon_ep_vf.
If an immediate kernel update is not possible, disable the octeon_ep_vf driver or disconnect the associated OEM NICs to remove the vulnerable code path from operation.
Enable kernel crash dumping (kdump) and monitor dmesg for Oops messages; verify that the patched kernel no longer logs null-pointer dereference crashes when traffic is directed to the device.

Generated by OpenCVE AI on May 29, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00127.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/60246cdd4c515ea7d920cddf48932efcb990773e
https://git.kernel.org/stable/c/6fef6640bbf360e254cc0174365ed30ce3a07572
https://git.kernel.org/stable/c/b0f4711b426a06fb4c4be85c36b9f5588d5140d3
https://git.kernel.org/stable/c/dd66b42854705e4e4ee7f14d260f86c578bed3e3
https://lore.kernel.org/linux-cve-announce/2026052831-CVE-2026-46188-7083@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46188
https://www.cve.org/CVERecord?id=CVE-2026-46188

History

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026052831-CVE-2026-46188-7083@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46188 https://www.cve.org/CVERecord?id=CVE-2026-46188
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Moderate`

Thu, 28 May 2026 12:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: octeon_ep_vf: add NULL check for napi_build_skb() napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.
Title		octeon_ep_vf: add NULL check for napi_build_skb()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/60246cdd4c515ea7d920cddf48932efcb990773e https://git.kernel.org/stable/c/6fef6640bbf360e254cc0174365ed30ce3a07572 https://git.kernel.org/stable/c/b0f4711b426a06fb4c4be85c36b9f5588d5140d3 https://git.kernel.org/stable/c/dd66b42854705e4e4ee7f14d260f86c578bed3e3

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:36:42.251Z

Updated: 2026-06-14T18:01:19.185Z

Reserved: 2026-05-13T15:03:33.104Z

Link: CVE-2026-46188

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:34.440

Modified: 2026-06-11T03:06:59.220

Link: CVE-2026-46188

Redhat

Severity : Moderate

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46188 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-29T03:30:26Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object