CVE-2026-23166 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

ice: Fix NULL pointer dereference in ice_vsi_set_napi_queues

Add NULL pointer checks in ice_vsi_set_napi_queues() to prevent crashes during resume from suspend when rings[q_idx]->q_vector is NULL.

Tested adaptor: 60:00.0 Ethernet controller [0200]: Intel Corporation Ethernet Controller E810-XXV for SFP [8086:159b] (rev 02)
Subsystem: Intel Corporation Ethernet Network Adapter E810-XXV-2 [8086:4003]

SR-IOV state: both disabled and enabled can reproduce this issue.

kernel version: v6.18

Reproduce steps: Boot up and execute suspend like systemctl suspend or rtcwake.

Log: <1>[ 231.443607] BUG: kernel NULL pointer dereference, address: 0000000000000040
<1>[ 231.444052] #PF: supervisor read access in kernel mode
<1>[ 231.444484] #PF: error_code(0x0000) - not-present page
<6>[ 231.444913] PGD 0 P4D 0
<4>[ 231.445342] Oops: Oops: 0000 [#1] SMP NOPTI
<4>[ 231.446635] RIP: 0010:netif_queue_set_napi+0xa/0x170
<4>[ 231.447067] Code: 31 f6 31 ff c3 cc cc cc cc 0f 1f 80 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 48 85 c9 74 0b <48> 83 79 30 00 0f 84 39 01 00 00 55 41 89 d1 49 89 f8 89 f2 48 89
<4>[ 231.447513] RSP: 0018:ffffcc780fc078c0 EFLAGS: 00010202
<4>[ 231.447961] RAX: ffff8b848ca30400 RBX: ffff8b848caf2028 RCX: 0000000000000010
<4>[ 231.448443] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8b848dbd4000
<4>[ 231.448896] RBP: ffffcc780fc078e8 R08: 0000000000000000 R09: 0000000000000000
<4>[ 231.449345] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
<4>[ 231.449817] R13: ffff8b848dbd4000 R14: ffff8b84833390c8 R15: 0000000000000000
<4>[ 231.450265] FS: 00007c7b29e9d740(0000) GS:ffff8b8c068e2000(0000) knlGS:0000000000000000
<4>[ 231.450715] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
<4>[ 231.451179] CR2: 0000000000000040 CR3: 000000030626f004 CR4: 0000000000f72ef0
<4>[ 231.451629] PKRU: 55555554
<4>[ 231.452076] Call Trace:
<4>[ 231.452549] <TASK>
<4>[ 231.452996] ? ice_vsi_set_napi_queues+0x4d/0x110 [ice]
<4>[ 231.453482] ice_resume+0xfd/0x220 [ice]
<4>[ 231.453977] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.454425] pci_pm_resume+0x8c/0x140
<4>[ 231.454872] ? __pfx_pci_pm_resume+0x10/0x10
<4>[ 231.455347] dpm_run_callback+0x5f/0x160
<4>[ 231.455796] ? dpm_wait_for_superior+0x107/0x170
<4>[ 231.456244] device_resume+0x177/0x270
<4>[ 231.456708] dpm_resume+0x209/0x2f0
<4>[ 231.457151] dpm_resume_end+0x15/0x30
<4>[ 231.457596] suspend_devices_and_enter+0x1da/0x2b0
<4>[ 231.458054] enter_state+0x10e/0x570

Add defensive checks for both the ring pointer and its q_vector before dereferencing, allowing the system to resume successfully even when q_vectors are unmapped.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/05/2026

The vulnerability identified as CVE-2026-23166 resides within the Linux kernel's Intel Ethernet Controller E810 driver, specifically in the ice_vsi_set_napi_queues function. This flaw manifests as a NULL pointer dereference during system resume operations from suspend states, particularly affecting systems utilizing the Intel Ethernet Controller E810-XXV for SFP network adapters. The issue arises when the driver attempts to access ring[q_idx]->q_vector without validating whether the q_vector pointer is NULL, leading to a kernel panic and system crash. The problem is not limited to specific configurations and affects both SR-IOV enabled and disabled environments, making it a broadly impactful vulnerability that could disrupt system availability during power management operations.

The technical root cause of this vulnerability stems from inadequate pointer validation within the driver's resume path. During suspend-resume cycles, the driver's ice_vsi_set_napi_queues function processes network rings to reconfigure NAPI (Network API) queues. However, when the system resumes, certain q_vector structures may have been unmapped or deallocated, leaving the q_vector pointer NULL. The function fails to check for this NULL condition before attempting to dereference the pointer, which results in a supervisor read access violation at address 0x0000000000000040. This type of error maps directly to CWE-476, which describes NULL Pointer Dereference, a well-known weakness that allows attackers to cause system instability or crashes through improper pointer handling.

The operational impact of this vulnerability extends beyond simple system crashes, as it can lead to complete system lockups during critical power management operations. When a system attempts to resume from suspend, users may experience unexpected reboots or kernel oops messages, disrupting network connectivity and potentially causing data loss. The vulnerability is particularly concerning in enterprise environments where automated power management and maintenance operations are common, as it could lead to unavailability of network services during routine system updates or power cycle operations. The affected kernel version v6.18 indicates that this issue has been present in recent stable releases, suggesting that systems running these kernel versions are at risk and require immediate patching to prevent potential service disruptions.

The fix for this vulnerability involves implementing defensive programming practices that check for NULL pointers before dereferencing them. The solution requires adding explicit validation checks for both the ring pointer and its associated q_vector member before any dereference operations occur. This approach aligns with the ATT&CK framework's defensive technique T1562.001, which emphasizes the importance of input validation and pointer safety in preventing system-level exploits. The patch ensures that when q_vectors are unmapped during suspend operations, the driver gracefully handles the NULL condition rather than crashing the kernel. This mitigation strategy not only resolves the immediate vulnerability but also improves the overall robustness of the driver's power management implementation, making it more resilient to edge cases in hardware state transitions. Organizations should prioritize applying this patch to all systems utilizing the affected Intel Ethernet Controller E810 drivers to maintain system stability and prevent potential denial of service conditions during suspend-resume cycles.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00113

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!