CVE-2026-22996
📋 TL;DR
A use-after-free vulnerability in the Linux kernel's mlx5e network driver causes a kernel NULL pointer dereference when switchdev mode fails during profile changes. This leads to a kernel oops (crash) when attempting to reload the device via devlink. Systems using Mellanox network adapters with the affected driver are vulnerable.
💻 Affected Systems
- Linux kernel mlx5e driver for Mellanox network adapters
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially requiring physical reboot.
Likely Case
System crash when attempting to configure network interfaces in switchdev mode, causing temporary service disruption.
If Mitigated
No impact if the vulnerable code path is not triggered through devlink operations.
🎯 Exploit Status
Requires local access and ability to execute devlink commands. Triggered by specific configuration failures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel branches via git commits: 123eda2e5b1638e298e3a66bb1e64a8da92de5e1, a3d4f87d41f5140f1cf5c02fce5cdad2637f6244, dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe
Vendor Advisory: https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix. 2. For distributions: apply kernel security updates. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Avoid switchdev configuration
linuxPrevent triggering the vulnerability by avoiding devlink operations that change to switchdev mode.
# Do not execute: devlink dev eswitch set pci/0000:00:03.0 mode switchdev
🧯 If You Can't Patch
- Restrict devlink access to trusted administrators only
- Monitor for devlink configuration attempts and system crashes
🔍 How to Verify
Check if Vulnerable:
Check if system uses Mellanox network adapters and has devlink capability. Vulnerable if kernel version contains unpatched mlx5e driver code.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated beyond patch commits. Test devlink operations that previously caused crashes.📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages mentioning mlx5e_remove
- NULL pointer dereference at address 0000000000000520
- devlink reload failures
Network Indicators:
- Sudden network interface disappearance
- Unexpected system reboots during network configuration
SIEM Query:
search 'kernel: BUG: kernel NULL pointer dereference' AND 'mlx5e'