{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23041", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.944Z", "datePublished": "2026-02-04T16:00:24.710Z", "dateUpdated": "2026-05-11T21:58:51.518Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:58:51.518Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup\n\nWhen bnxt_init_one() fails during initialization (e.g.,\nbnxt_init_int_mode returns -ENODEV), the error path calls\nbnxt_free_hwrm_resources() which destroys the DMA pool and sets\nbp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,\nwhich invokes ptp_clock_unregister().\n\nSince commit a60fc3294a37 (\"ptp: rework ptp_clock_unregister() to\ndisable events\"), ptp_clock_unregister() now calls\nptp_disable_all_events(), which in turn invokes the driver's .enable()\ncallback (bnxt_ptp_enable()) to disable PTP events before completing the\nunregistration.\n\nbnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()\nand bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This\nfunction tries to allocate from bp->hwrm_dma_pool, causing a NULL\npointer dereference:\n\n bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n Call Trace:\n __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)\n bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)\n ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)\n ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)\n bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)\n bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)\n\nLines are against commit f8f9c1f4d0c7 (\"Linux 6.19-rc3\")\n\nFix this by clearing and unregistering ptp (bnxt_ptp_clear()) before\nfreeing HWRM resources."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt.c"], "versions": [{"version": "a60fc3294a377204664b5484e4a487fa124155da", "lessThan": "0174d5466caefc22f03a36c43b2a3cce7e332627", "status": "affected", "versionType": "git"}, {"version": "a60fc3294a377204664b5484e4a487fa124155da", "lessThan": "3358995b1a7f9dcb52a56ec8251570d71024dad0", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/broadcom/bnxt/bnxt.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.6", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627"}, {"url": "https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0"}], "title": "bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup\n\nWhen bnxt_init_one() fails during initialization (e.g.,\nbnxt_init_int_mode returns -ENODEV), the error path calls\nbnxt_free_hwrm_resources() which destroys the DMA pool and sets\nbp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called,\nwhich invokes ptp_clock_unregister().\n\nSince commit a60fc3294a37 (\"ptp: rework ptp_clock_unregister() to\ndisable events\"), ptp_clock_unregister() now calls\nptp_disable_all_events(), which in turn invokes the driver's .enable()\ncallback (bnxt_ptp_enable()) to disable PTP events before completing the\nunregistration.\n\nbnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin()\nand bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This\nfunction tries to allocate from bp->hwrm_dma_pool, causing a NULL\npointer dereference:\n\n bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed\n KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]\n Call Trace:\n __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)\n bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)\n ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)\n ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)\n bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)\n bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)\n\nLines are against commit f8f9c1f4d0c7 (\"Linux 6.19-rc3\")\n\nFix this by clearing and unregistering ptp (bnxt_ptp_clear()) before\nfreeing HWRM resources."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nbnxt_en: Correcci\u00f3n de un fallo por puntero NULL en bnxt_ptp_enable durante la limpieza de errores\n\nCuando bnxt_init_one() falla durante la inicializaci\u00f3n (p. ej., bnxt_init_int_mode devuelve -ENODEV), la ruta de error llama a bnxt_free_hwrm_resources() que destruye el pool de DMA y establece bp->hwrm_dma_pool a NULL. Posteriormente, se llama a bnxt_ptp_clear(), que invoca a ptp_clock_unregister().\n\nDesde el commit a60fc3294a37 ('ptp: rework ptp_clock_unregister() to disable events'), ptp_clock_unregister() ahora llama a ptp_disable_all_events(), que a su vez invoca la funci\u00f3n de callback .enable() del controlador (bnxt_ptp_enable()) para deshabilitar los eventos PTP antes de completar el desregistro.\n\nbnxt_ptp_enable() intenta enviar comandos HWRM a trav\u00e9s de bnxt_ptp_cfg_pin() y bnxt_ptp_cfg_event(), ambas llaman a hwrm_req_init(). Esta funci\u00f3n intenta asignar memoria de bp->hwrm_dma_pool, causando una desreferencia de puntero NULL:\n\n bnxt_en 0000:01:00.0 (net_device sin nombre) (no inicializado): bnxt_init_int_mode err: ffffffed\n KASAN: desreferencia de puntero nulo en el rango [0x0000000000000028-0x000000000000002f]\n Traza de Llamadas:\n __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72)\n bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517)\n ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66)\n ptp_clock_unregister (drivers/ptp/ptp_clock.c:518)\n bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134)\n bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889)\n\nLas l\u00edneas son contra el commit f8f9c1f4d0c7 ('Linux 6.19-rc3')\n\nSolucione esto limpiando y desregistrando ptp (bnxt_ptp_clear()) antes de liberar los recursos HWRM."}], "id": "CVE-2026-23041", "lastModified": "2026-04-15T00:35:42.020", "metrics": {}, "published": "2026-02-04T16:16:19.563", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup", "id": "2436794", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436794"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23041", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23041\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23041\nhttps://lore.kernel.org/linux-cve-announce/2026020438-CVE-2026-23041-a426@gregkh/T"], "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-17T23:49:11.101962+00:00", "value": {"mitigation_remediation": ["Apply the upstream kernel patch that removes the error cleanup order, ensuring PTP is cleared before freeing HWRM resources, or upgrade to a kernel version that contains the fix.", "If a patch is unavailable, disable the PTP functionality in the driver by setting the appropriate sysfs or module options so that ptp_clock_unregister is not called during error cleanup.", "As a last resort, prevent the bnxt driver from loading on affected devices by blacklisting the module or removing the device from the system configuration."], "summary": {"action": "Apply Patch", "impact": "Denial of Service (Kernel Crash)"}, "threat_synthesis": {"affected_systems": "Linux kernel drivers for Broadcom NetXtreme cards (bnxt_en), affecting systems running kernel versions prior to the fix committed in 6.19\u2011rc3. The vulnerability applies to any platform that loads this driver and encounters an initialization error.\n", "description_and_impact": "During the initialization of a Broadcom NetXtreme Ethernet device, an error path frees hardware resources and sets a DMA pool pointer to NULL. The subsequent de\u2011registration of the PTP clock triggers the driver's enable callback to clear PTP events, which then attempts to allocate from the freed DMA pool. The dereference of the now\u2011NULL pointer causes a kernel crash.\n", "risk_and_exploitability": "The CVSS score is not provided, but the EPSS score is below 1\u202f% and the vulnerability is not listed in the CISA KEV catalog. A local or privileged attacker who can force the device to initialize (e.g., after attaching a new network interface) could trigger the crash. It is inferred that the attack vector requires kernel access, likely local privileged execution, and the impact is a denial of service via kernel panic. The low EPSS suggests rare exploitability under normal conditions."}}}}, "created": "2026-04-18T00:00:09.462530+00:00", "updated": "2026-04-18T00:00:09.462546+00:00", "vendors": [], "weaknesses": ["CWE-476"]}