CVE-2026-22993
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's idpf driver allows local attackers to cause a kernel panic (denial of service) by accessing the RSS LUT via ethtool commands after a soft reset. This affects systems using the idpf driver with specific network interface configurations. Only local users with CAP_NET_ADMIN capabilities can trigger this vulnerability.
💻 Affected Systems
- Linux kernel with idpf driver
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
Local denial of service through kernel panic when privileged users execute specific ethtool commands after interface configuration changes.
If Mitigated
No impact if users avoid the specific ethtool commands after interface resets, or if proper access controls prevent unauthorized users from running ethtool.
🎯 Exploit Status
Exploitation requires local access and CAP_NET_ADMIN capabilities. The steps to reproduce are clearly documented in the CVE description.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with fixes from commits ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f and ebecca5b093895da801b3eba1a55b4ec4027d196
Vendor Advisory: https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load patched kernel. 3. Verify kernel version with 'uname -r'.
🔧 Temporary Workarounds
Avoid vulnerable ethtool commands
linuxPrevent triggering the vulnerability by avoiding ethtool -x commands after interface resets
Restrict ethtool access
linuxLimit CAP_NET_ADMIN capabilities to prevent unauthorized users from running ethtool commands
setcap -r /usr/sbin/ethtool
chmod 750 /usr/sbin/ethtool
🧯 If You Can't Patch
- Restrict ethtool command usage to trusted administrators only
- Monitor for kernel panic logs and investigate any ethtool usage patterns around interface resets
🔍 How to Verify
Check if Vulnerable:
Check if kernel version is before fixes: 'uname -r' and compare with patched versions. Check if idpf driver is loaded: 'lsmod | grep idpf'Check Version:
uname -rVerify Fix Applied:
Verify kernel version includes fix commits: check kernel changelog or vendor patch notes. Test the reproduction steps to confirm no kernel panic occurs.📡 Detection & Monitoring
Log Indicators:
- Kernel NULL pointer dereference messages
- Oops: 0000 [#1] SMP NOPTI errors
- idpf_get_rxfh+0x108/0x150 stack traces
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "Oops: 0000" OR "idpf_get_rxfh")