CVE-2026-22985 – A NULL pointer dereference vulnerability in the... (How to Fix)

Q: What is the severity of CVE-2026-22985?

CVE-2026-22985 has a CVSS score of 5.5 (MEDIUM). A NULL pointer dereference vulnerability in the Linux kernel's idpf driver causes a kernel crash when ethtool operations (like rxhash on/off) are performed before the network interface is brought up. This affects systems using the idpf driver for Intel Ethernet devices. The vulnerability allows local attackers with CAP_NET_ADMIN capabilities to cause denial of service.

📋 TL;DR

A NULL pointer dereference vulnerability in the Linux kernel's idpf driver causes a kernel crash when ethtool operations (like rxhash on/off) are performed before the network interface is brought up. This affects systems using the idpf driver for Intel Ethernet devices. The vulnerability allows local attackers with CAP_NET_ADMIN capabilities to cause denial of service.

💻 Affected Systems

Products:

Linux kernel with idpf driver

Versions: Linux kernel versions with vulnerable idpf driver before fixes in commits 83f38f210b85676f40ba8586b5a8edae19b56995 and b29a5a7dd1f4293ee49c469938c25bf85a5aa802

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires idpf driver loaded and network interfaces created but not yet brought up.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker with CAP_NET_ADMIN privileges causes kernel panic leading to system crash and denial of service.

🟠

Likely Case

Accidental triggering by administrators performing ethtool operations before bringing interfaces up, causing system instability.

🟢

If Mitigated

Minimal impact if proper access controls prevent unauthorized users from running ethtool commands.

🌐 Internet-Facing: LOW - Requires local access with specific privileges, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users with CAP_NET_ADMIN or root access can crash the system.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and CAP_NET_ADMIN privileges. Simple command execution triggers the crash.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel with fixes from commits 83f38f210b85676f40ba8586b5a8edae19b56995 and b29a5a7dd1f4293ee49c469938c25bf85a5aa802

Vendor Advisory: https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995

Restart Required: Yes

Instructions:

1. Update Linux kernel to version containing the fixes. 2. Reboot system to load patched kernel. 3. Verify idpf driver is updated.

🔧 Temporary Workarounds

Avoid early ethtool operations

linux

Do not perform ethtool operations on idpf interfaces before bringing them up for the first time.

Restrict ethtool access

linux

Limit CAP_NET_ADMIN capabilities to trusted users only.

setcap -r /sbin/ethtool
chmod 750 /sbin/ethtool

🧯 If You Can't Patch

Restrict access to ethtool command to authorized administrators only.
Ensure network interfaces are brought up before performing any ethtool configuration changes.

🔍 How to Verify

Check if Vulnerable:

Check if idpf driver is loaded: lsmod | grep idpf. If loaded, system may be vulnerable if kernel lacks patches.

Check Version:

uname -r

Verify Fix Applied:

Check kernel version includes fixes: grep -q '83f38f210b85676f40ba8586b5a8edae19b56995\|b29a5a7dd1f4293ee49c469938c25bf85a5aa802' /proc/version

📡 Detection & Monitoring

Log Indicators:

Kernel NULL pointer dereference errors in dmesg or /var/log/kern.log
BUG: kernel NULL pointer dereference messages with idpf driver references

Network Indicators:

Sudden network interface disappearance
System crash following ethtool commands

SIEM Query:

source="kernel" AND "NULL pointer dereference" AND "idpf"

📊 Metadata

CVE ID: CVE-2026-22985

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

EPSS Score: 0.02% exploit probability (6th percentile)

Published: January 23, 2026

Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22985, you might also want to check these: