Description
In the Linux kernel, the following vulnerability has been resolved:

net: phy: clean the sfp upstream if phy probing fails

Sashiko reported that we don't call sfp_bus_del_upstream() in the probe
failure path, so let's add it, otherwise the sfp-bus is left with a
dangling 'upstream' field, that may be used later on during SFP events.

This issue existed before the generic phylib sfp support, back when
drivers were calling phy_sfp_probe themselves.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel PHY subsystem can leave a dangling reference to the SFP bus when a phy probe fails. Because the cleanup function sfp_bus_del_upstream() is not called in this failure path, the upstream field remains pointing to freed memory. If a later SFP event uses this stale pointer, undefined kernel behavior can occur, potentially causing a crash or other fault. This is a classic use‑after‑free or null‑pointer dereference weakness. Based on the description, it is inferred that a later SFP event could dereference the stale pointer.

Affected Systems

All versions of the Linux kernel that compile the generic phylib SFP support before the patch commit 48774e87bbaa0056819d4b52301e4692e50e3252 are impacted. The vulnerability applies to builds that use the legacy phy probing path and include the unmodified upstream cleanup code. No specific kernel versions are listed, so any system that has not yet adopted the commit is potentially affected.

Risk and Exploitability

Official severity metrics are not published and the entry is not listed in the CISA KEV catalog. Exploitation would require an attacker to induce a failed phy probe and then trigger a subsequent SFP event that accesses the dangling pointer. There are no documented public exploits, so the likelihood of exploitation remains uncertain. While the weakness could cause a kernel fault, the risk is considered low to moderate without further evidence of an active attack. Based on the description, it is inferred that an attacker with local access could trigger a phy probe failure followed by an SFP event to exercise the stale pointer.

Generated by OpenCVE AI on June 25, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to a release that incorporates commit 48774e87bbaa0056819d4b52301e4692e50e3252, which removes the dangling upstream reference.
  • If a kernel update is not immediately possible, apply the patch manually to the source tree and rebuild the kernel.
  • If the system does not require SFP support, disable or unload the phylib SFP module to eliminate the vulnerable code path.

Generated by OpenCVE AI on June 25, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-476

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy probing fails Sashiko reported that we don't call sfp_bus_del_upstream() in the probe failure path, so let's add it, otherwise the sfp-bus is left with a dangling 'upstream' field, that may be used later on during SFP events. This issue existed before the generic phylib sfp support, back when drivers were calling phy_sfp_probe themselves.
Title net: phy: clean the sfp upstream if phy probing fails
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:39:30.527Z

Reserved: 2026-06-09T07:44:35.393Z

Link: CVE-2026-53232

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T12:45:15Z

Weaknesses