{"cve":{"cve_id":"CVE-2026-53289","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_reset_all_vfs()\n\nice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().\nWhen the VSI rebuild fails (e.g. during NVM firmware update via\nnvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,\nleaving txq_map and rxq_map as NULL. The subsequent unconditional call\nto ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in\nice_ena_vf_q_mappings() when it accesses vsi->txq_map[0].\n\nThe single-VF reset path in ice_reset_vf() already handles this\ncorrectly by checking the return value of ice_vf_reconfig_vsi() and\nskipping ice_vf_post_vsi_rebuild() on failure.\n\nApply the same pattern to ice_reset_all_vfs(): check the return value\nof ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and\nice_eswitch_attach_vf() on failure. The VF is left safely disabled\n(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can\nbe recovered via a VFLR triggered by a PCI reset of the VF\n(sysfs reset or driver rebind).\n\nNote that this patch does not prevent the VF VSI rebuild from failing\nduring NVM update — the underlying cause is firmware being in a\ntransitional state while the EMP reset is processed, which can cause\nAdmin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This\npatch only prevents the subsequent NULL pointer dereference that\ncrashes the kernel when the rebuild does fail.\n\n crash> bt\n     PID: 50795    TASK: ff34c9ee708dc680  CPU: 1    COMMAND: \"kworker/u512:5\"\n      #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee\n      #1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba\n      #2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540\n      #3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda\n      #4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997\n      #5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595\n      #6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2\n         [exception RIP: ice_ena_vf_q_mappings+0x79]\n         RIP: ffffffffc0a85b29  RSP: ff72159bcfe5bdc8  RFLAGS: 00010206\n         RAX: 00000000000f0000  RBX: ff34c9efc9c00000  RCX: 0000000000000000\n         RDX: 0000000000000000  RSI: 0000000000000010  RDI: ff34c9efc9c00000\n         RBP: ff34c9efc27d4828   R8: 0000000000000093   R9: 0000000000000040\n         R10: ff34c9efc27d4828  R11: 0000000000000040  R12: 0000000000100000\n         R13: 0000000000000010  R14:   R15:\n         ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n      #7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]\n      #8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]\n      #9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]\n     #10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4\n     #11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de\n     #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663\n     #13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9\n\n The panic occurs attempting to dereference the NULL pointer in RDX at\n ice_sriov.c:294, which loads vsi->txq_map (offset 0x4b8 in ice_vsi).\n\n The faulting VSI is an allocated slab object but not fully initialized\n after a failed ice_vsi_rebuild():\n\n  crash> struct ice_vsi 0xff34c9efc27d4828\n    netdev = 0x0,\n    rx_rings = 0x0,\n    tx_rings = 0x0,\n    q_vectors = 0x0,\n    txq_map = 0x0,\n    rxq_map = 0x0,\n    alloc_txq = 0x10,\n    num_txq = 0x10,\n    alloc_rxq = 0x10,\n    num_rxq = 0x10,\n\n The nvmupdate64e process was performing NVM firmware update:\n\n  crash> bt 0xff34c9edd1a30000\n  PID: 49858    TASK: ff34c9edd1a30000  CPU: 1    COMMAND: \"nvmupdate64e\"\n   #0 [ff72159bcd617618] __schedule at ffffffffab5333f8\n   #4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]\n   #5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]\n   #6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]\n   #7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]\n   #8 \n---truncated---","published_at":"2026-06-26T19:40:49.418000Z","last_modified_at":null,"cvss_v3_score":null,"cvss_v3_vector":null,"cvss_v3_severity":null,"cvss_v4_score":null,"cvss_v4_vector":null,"cvss_v4_severity":null,"ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":null,"nvd_references":["https://git.kernel.org/stable/c/acc76b97902757b63ba5136f787d107647236a19","https://git.kernel.org/stable/c/3ad2471e61e9f0c4d25046d08e3d747501c3b0dd","https://git.kernel.org/stable/c/4c2ac52eeeb672624b06c7a135301d7b8a21d52e","https://git.kernel.org/stable/c/1e9185b13ce57b86844447e092e58abb3be849b1","https://git.kernel.org/stable/c/429024f3a407e4137aee825c2a6be0aba857937d","https://git.kernel.org/stable/c/54ef02487914c24170c7e1c061e45212dc55365e"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:28.590503Z","updated_at":"2026-06-28T23:30:52.348775Z"},"effective_severity":null,"badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":null,"metrics":[]},"cvss_v4_decoded":{"version":null,"metrics":[]},"affected":[{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"acc76b97902757b63ba5136f787d107647236a19","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:acc76b97902757b63ba5136f787d107647236a19"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"3ad2471e61e9f0c4d25046d08e3d747501c3b0dd","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:3ad2471e61e9f0c4d25046d08e3d747501c3b0dd"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"4c2ac52eeeb672624b06c7a135301d7b8a21d52e","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:4c2ac52eeeb672624b06c7a135301d7b8a21d52e"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"1e9185b13ce57b86844447e092e58abb3be849b1","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:1e9185b13ce57b86844447e092e58abb3be849b1"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"429024f3a407e4137aee825c2a6be0aba857937d","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:429024f3a407e4137aee825c2a6be0aba857937d"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"12bb018c538c3b9a050f69f62fa09fa6c9160bca","version_start_inclusive":true,"version_end":"54ef02487914c24170c7e1c061e45212dc55365e","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:12bb018c538c3b9a050f69f62fa09fa6c9160bca:54ef02487914c24170c7e1c061e45212dc55365e"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"5.8","version_start_inclusive":true,"version_end":"5.8","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:5.8:5.8"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"0","version_start_inclusive":true,"version_end":"5.8","version_end_inclusive":false,"cpe23_uri":"cve5:linux:linux:0:5.8"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.1.175","version_start_inclusive":true,"version_end":"6.1.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.1.175:6.1.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.6.141","version_start_inclusive":true,"version_end":"6.6.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.6.141:6.6.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.12.91","version_start_inclusive":true,"version_end":"6.12.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.12.91:6.12.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"6.18.33","version_start_inclusive":true,"version_end":"6.18.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:6.18.33:6.18.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.0.10","version_start_inclusive":true,"version_end":"7.0.*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.0.10:7.0.*"},{"vendor_slug":"linux","vendor_name":"Linux","product_slug":"linux","product_name":"Linux","version_start":"7.1","version_start_inclusive":true,"version_end":"*","version_end_inclusive":true,"cpe23_uri":"cve5:linux:linux:7.1:*"}],"exploit_refs":[],"news":[],"references":[{"url":"https://git.kernel.org/stable/c/acc76b97902757b63ba5136f787d107647236a19","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/3ad2471e61e9f0c4d25046d08e3d747501c3b0dd","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/4c2ac52eeeb672624b06c7a135301d7b8a21d52e","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/1e9185b13ce57b86844447e092e58abb3be849b1","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/429024f3a407e4137aee825c2a6be0aba857937d","source_type":"MISC","tags":[]},{"url":"https://git.kernel.org/stable/c/54ef02487914c24170c7e1c061e45212dc55365e","source_type":"MISC","tags":[]}],"timeline":[{"type":"published","at":"2026-06-26T19:40:49.418000Z","label":"CVE published","source":null}]}