Description
In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix NULL pointer dereference

PCIe errors detected by a Root Port or Downstream Port cause error
recovery services to run on all subordinate devices regardless of
administrative state.

The .error_detected() callback, bnxt_io_error_detected(), disables
and synchronizes IRQs via bnxt_disable_int_sync(), which calls
bnxt_cp_num_to_irq_num() to map completion rings to IRQs using
bp->bnapi.

Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe
error recovery on a closed NIC can dereference a NULL pointer.

Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Published: 2026-06-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference occurs in the Linux kernel bnxt_en driver when PCIe error recovery runs on a device that has already been closed. During error handling the function bnxt_io_error_detected() attempts to disable and synchronize interrupts through a mapping function that assumes a valid bp->bnapi pointer, which is NULL on a closed NIC. The dereference results in a kernel panic, causing the system to crash and disrupting availability.

Affected Systems

All Linux kernel installations that include the bnxt_en network driver are potentially affected. The CVE does not specify exact kernel versions; the issue exists in pre‑patch kernel releases that contain the unguarded code path. Users should verify whether their kernel contains the commit that adds the NULL‑check guard.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity and the EPSS score of less than 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is triggered during internal PCIe error handling, it is likely exploitable only by a privileged user or through a local attack that can induce PCIe errors on a closed Network Interface Card. The primary risk is a local denial of service through a forced kernel crash, with no evidence of remote code execution or privilege escalation.

Generated by OpenCVE AI on June 30, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Linux kernel to a version that contains the commit adding the NULL check in bnxt_io_error_detected()
  • If an immediate kernel upgrade is not possible, unload or blacklist the bnxt_en driver with modprobe -r or by adding it to /etc/modprobe.d/blacklist.conf until a patched kernel is available
  • Ensure that NICs are properly closed before any power‑down or reset sequences to avoid triggering error recovery on a closed device, and monitor system logs for PCIe error events

Generated by OpenCVE AI on June 30, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sat, 04 Jul 2026 12:15:00 +0000


Tue, 30 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Tue, 30 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer dereference PCIe errors detected by a Root Port or Downstream Port cause error recovery services to run on all subordinate devices regardless of administrative state. The .error_detected() callback, bnxt_io_error_detected(), disables and synchronizes IRQs via bnxt_disable_int_sync(), which calls bnxt_cp_num_to_irq_num() to map completion rings to IRQs using bp->bnapi. Since bp->bnapi is allocated on NIC open and freed on NIC close, PCIe error recovery on a closed NIC can dereference a NULL pointer. Check if bp->bnapi is NULL before disabling and synchronizing IRQs.
Title bnxt_en: Fix NULL pointer dereference
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-04T11:51:01.988Z

Reserved: 2026-06-09T07:44:35.389Z

Link: CVE-2026-53177

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53177 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T04:00:08Z

Weaknesses