CVE-2026-23210 in Linux
Summary
by MITRE • 02/14/2026
In the Linux kernel, the following vulnerability has been resolved:
ice: Fix PTP NULL pointer dereference during VSI rebuild
Fix race condition where PTP periodic work runs while VSI is being rebuilt, accessing NULL vsi->rx_rings.
The sequence was: 1. ice_ptp_prepare_for_reset() cancels PTP work 2. ice_ptp_rebuild() immediately queues PTP work 3. VSI rebuild happens AFTER ice_ptp_rebuild() 4. PTP work runs and accesses NULL vsi->rx_rings
Fix: Keep PTP work cancelled during rebuild, only queue it after VSI rebuild completes in ice_rebuild().
Added ice_ptp_queue_work() helper function to encapsulate the logic for queuing PTP work, ensuring it's only queued when PTP is supported and the state is ICE_PTP_READY.
Error log: [ 121.392544] ice 0000:60:00.1: PTP reset successful
[ 121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 121.392712] #PF: supervisor read access in kernel mode
[ 121.392720] #PF: error_code(0x0000) - not-present page
[ 121.392727] PGD 0
[ 121.392734] Oops: Oops: 0000 [#1] SMP NOPTI
[ 121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S 6.19.0-rc6+ #4 PREEMPT(voluntary)
[ 121.392761] Tainted: [S]=CPU_OUT_OF_SPEC
[ 121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]
[ 121.393042] Call Trace:
[ 121.393047] <TASK>
[ 121.393055] ice_ptp_periodic_work+0x69/0x180 [ice]
[ 121.393202] kthread_worker_fn+0xa2/0x260
[ 121.393216] ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]
[ 121.393359] ? __pfx_kthread_worker_fn+0x10/0x10
[ 121.393371] kthread+0x10d/0x230
[ 121.393382] ? __pfx_kthread+0x10/0x10
[ 121.393393] ret_from_fork+0x273/0x2b0
[ 121.393407] ? __pfx_kthread+0x10/0x10
[ 121.393417] ret_from_fork_asm+0x1a/0x30
[ 121.393432] </TASK>
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
This vulnerability represents a critical null pointer dereference in the Intel Ethernet Connection E810 driver for Linux kernel versions prior to the fix. The issue manifests during the process of rebuilding Virtual Switch Instances (VSIs) when Precision Time Protocol (PTP) work items attempt to access memory locations that have already been freed or are in an invalid state. The root cause lies in a race condition between the PTP subsystem and the VSI rebuilding process, specifically within the ice driver's handling of hardware resource management and time synchronization capabilities. This flaw directly impacts systems utilizing Intel E810 network adapters with PTP functionality, potentially leading to kernel panics and system instability.
The technical flaw occurs when the ice_ptp_prepare_for_reset() function cancels active PTP work items, but immediately afterward ice_ptp_rebuild() queues new PTP work without proper synchronization. The VSI rebuild process, which occurs after the PTP work is queued, results in the vsi->rx_rings pointer being set to NULL as part of the cleanup operations. However, the PTP work items that were queued during this window continue to execute and attempt to access the now-invalid vsi->rx_rings pointer, leading to a kernel NULL pointer dereference. This race condition operates at the intersection of kernel timing and resource management, where the sequence of operations creates a temporal gap that allows for invalid memory access. The vulnerability is classified as a classic race condition pattern that can be analyzed through CWE-362, which addresses race conditions in concurrent programming contexts.
The operational impact of this vulnerability extends beyond simple system crashes to encompass potential service disruption and data integrity concerns in time-sensitive applications. Systems utilizing PTP for network synchronization, such as those in industrial automation, financial trading, or telecommunications infrastructure, face the risk of sudden service interruptions when this race condition occurs. The kernel panic resulting from the NULL pointer dereference forces a system reboot, potentially disrupting time-critical operations that depend on precise timing synchronization. The vulnerability affects the reliability of network infrastructure components that rely on Intel E810 adapters, particularly in environments where continuous operation is essential. From an attack perspective, this could be exploited to cause denial of service conditions, making it a significant concern for network administrators managing critical infrastructure.
The fix implemented addresses this vulnerability by introducing proper synchronization between PTP work queueing and VSI rebuild operations. The solution involves creating a new helper function ice_ptp_queue_work() that encapsulates the logic for queuing PTP work items, ensuring they are only scheduled when the PTP subsystem is properly initialized and in the ICE_PTP_READY state. This approach prevents PTP work from being queued during the rebuild process, effectively eliminating the race condition by maintaining proper temporal ordering of operations. The fix aligns with established security best practices for kernel development and follows the principle of least privilege by ensuring that operations only proceed when all necessary prerequisites are satisfied. The implementation also reflects the ATT&CK framework's concept of privilege escalation through kernel-level vulnerabilities, as this flaw could potentially be leveraged to escalate system privileges or cause broader system instability. The mitigation strategy focuses on preventing invalid memory access patterns while maintaining the intended functionality of the PTP subsystem, ensuring that time synchronization capabilities remain available without compromising system stability.