CVE-2026-22985 in Linux
Summary
by MITRE • 01/23/2026
In the Linux kernel, the following vulnerability has been resolved:
idpf: Fix RSS LUT NULL pointer crash on early ethtool operations
The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time.
Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver's soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes.
Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off
[89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000
[89408.371908] #PF: supervisor read access in kernel mode
[89408.371924] #PF: error_code(0x0000) - not-present page
[89408.371940] PGD 0 P4D 0
[89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI
<snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130
[89408.372310] Call Trace:
[89408.372317] <TASK>
[89408.372326] ? idpf_set_features+0xfc/0x180 [idpf]
[89408.372363] __netdev_update_features+0x295/0xde0
[89408.372384] ethnl_set_features+0x15e/0x460
[89408.372406] genl_family_rcv_msg_doit+0x11f/0x180
[89408.372429] genl_rcv_msg+0x1ad/0x2b0
[89408.372446] ? __pfx_ethnl_set_features+0x10/0x10
[89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10
[89408.372482] netlink_rcv_skb+0x58/0x100
[89408.372502] genl_rcv+0x2c/0x50
[89408.372516] netlink_unicast+0x289/0x3e0
[89408.372533] netlink_sendmsg+0x215/0x440
[89408.372551] __sys_sendto+0x234/0x240
[89408.372571] __x64_sys_sendto+0x28/0x30
[89408.372585] x64_sys_call+0x1909/0x1da0
[89408.372604] do_syscall_64+0x7a/0xfa0
[89408.373140] ? clear_bhb_loop+0x60/0xb0
[89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[89408.378887] </TASK>
<snip>
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/18/2026
The vulnerability CVE-2026-22985 resides within the Linux kernel's implementation of the idpf driver, which manages Intel Ethernet devices. This flaw manifests as a NULL pointer dereference occurring during early ethtool operations when the Receive Side Scaling (RSS) Lookup Table (LUT) has not yet been initialized. The issue arises because the RSS LUT initialization is deferred until the network interface is brought up, creating a window where operations such as disabling rxhash via ethtool can trigger a kernel crash. The root cause lies in the driver's improper handling of the LUT lifecycle, where the software copy remains uninitialized while hardware operations expect valid data structures. This misconfiguration leads to a supervisor read access violation when the kernel attempts to access a NULL memory address during the memcpy operation in the idpf_set_features function, ultimately resulting in a kernel oops and system instability.
The technical exploitation of this vulnerability follows a specific sequence that leverages the driver's state management flaw. When the idpf module is loaded, network interfaces are created but remain in a down state, with the RSS LUT not yet initialized. The ethtool command executes before interface activation, triggering a call path that eventually leads to idpf_set_features being invoked without a properly initialized LUT. The kernel's call trace shows the execution path flowing through __netdev_update_features, ethnl_set_features, and various netlink subsystem functions before reaching the problematic memcpy_orig function. This sequence demonstrates how the driver's initialization order creates a race condition between user-space ethtool commands and kernel internal state management. The vulnerability is classified under CWE-476 as a NULL pointer dereference, representing a fundamental flaw in pointer validation where the driver assumes the LUT structure is always valid without proper initialization checks.
The operational impact of CVE-2026-22985 extends beyond simple system crashes to encompass potential denial of service conditions and operational disruptions in network management environments. This vulnerability directly affects systems running the idpf driver where network configuration operations are performed before interface activation, which is common in automated deployment scenarios, network management tools, or during system initialization sequences. The crash occurs during legitimate administrative operations, meaning that routine network configuration tasks can unexpectedly bring down the entire kernel. From an attacker's perspective, this represents a denial of service vector that could be exploited to repeatedly crash network services or cause system instability, particularly in environments where automated configuration scripts attempt to set network parameters before interfaces are fully operational. The vulnerability's presence in the kernel's core network subsystem means that any process or tool performing ethtool operations on affected interfaces could trigger the crash, making it a critical stability concern for network administrators and system operators.
Mitigation strategies for CVE-2026-22985 focus on ensuring proper initialization of the RSS LUT structure before any ethtool operations can access it. The recommended fix involves moving the RSS LUT initialization from the ndo_open function to the vport creation phase, ensuring that the LUT is always available regardless of interface state. This approach aligns with ATT&CK technique T1499.004 by preventing system instability through proper resource initialization and management. The solution also includes simplifying LUT management by maintaining all changes in the driver's software copy and deferring hardware programming until the interface is actually up. This approach reduces complexity in state synchronization and prevents the race condition that enabled the NULL pointer dereference. Network administrators should ensure that kernel updates containing the patched idpf driver are applied promptly, particularly in environments where automated network configuration tools are used. Additionally, operational procedures should be updated to avoid performing ethtool operations on interfaces before they are fully initialized, though the patched driver should eliminate this requirement. The fix also incorporates proper error handling and validation checks that prevent invalid memory access patterns, aligning with security best practices for kernel module development and resource management.