CVE-2026-23173
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's mlx5e TC (Traffic Control) driver allows local attackers to cause a kernel panic and system crash when deleting network flows. This affects systems using Mellanox/NVIDIA ConnectX network adapters with TC offloading enabled. Only local users with CAP_NET_ADMIN capabilities can trigger this vulnerability.
💻 Affected Systems
- Linux kernel with mlx5_core driver
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local denial of service causing kernel panic and system crash, potentially leading to data loss or service disruption.
Likely Case
Local denial of service causing system instability or crash when network configuration changes are made.
If Mitigated
Minimal impact if proper access controls prevent unauthorized users from modifying network configurations.
🎯 Exploit Status
Requires local access and CAP_NET_ADMIN privileges. Triggered through specific TC flow deletion operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions containing fixes (see references)
Vendor Advisory: https://git.kernel.org/stable/c/2652e2f1253c53f9a3ce84cc972568b32c892734
Restart Required: Yes
Instructions:
1. Update to a patched kernel version from your distribution's repository. 2. Reboot the system to load the new kernel. 3. Verify the kernel version matches the patched release.
🔧 Temporary Workarounds
Restrict CAP_NET_ADMIN capabilities
allLimit which users can modify network configurations to reduce attack surface
# Use capabilities framework or sudoers to restrict access
# Example: Remove CAP_NET_ADMIN from non-privileged users
Disable TC offloading if not required
LinuxDisable Traffic Control offloading feature on Mellanox adapters
# Check current offload settings
ethtool -k <interface> | grep hw-tc-offload
# Disable TC offload
ethtool -K <interface> hw-tc-offload off
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized users from running tc commands
- Monitor system logs for kernel panic events and unauthorized network configuration changes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if mlx5_core module is loaded with TC offloading enabled: 'uname -r' and 'lsmod | grep mlx5'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to a patched version and test TC flow deletion operations📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/kern.log or dmesg
- NULL pointer dereference errors mentioning mlx5e_tc_del_fdb_peers_flow
- System crash/reboot events
Network Indicators:
- Unexpected network configuration changes
- TC flow deletion operations from unauthorized users
SIEM Query:
source="kernel" AND ("NULL pointer dereference" OR "mlx5e_tc_del_fdb_peers_flow" OR "Oops:")