{"api_version":"1","generated_at":"2026-04-17T00:19:52+00:00","cve":"CVE-2026-22981","urls":{"html":"https://cve.report/CVE-2026-22981","api":"https://cve.report/api/cve/CVE-2026-22981.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22981","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22981"},"summary":{"title":"idpf: detach and close netdevs while handling a reset","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n<inf>\tUP\necho 1 > /sys/class/net/ens801f0/device/reset& \\\nethtool -L ens801f0 combined 8\nip -br a\n<inf>\tDOWN\nip link set <inf> up\nip -br a\n<inf>\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637]  <TASK>\n[408508.140077]  __dev_close_many+0xbb/0x260\n[408508.140533]  __dev_change_flags+0x1cf/0x280\n[408508.140987]  netif_change_flags+0x26/0x70\n[408508.141434]  dev_change_flags+0x3d/0xb0\n[408508.141878]  devinet_ioctl+0x460/0x890\n[408508.142321]  inet_ioctl+0x18e/0x1d0\n[408508.142762]  ? _copy_to_user+0x22/0x70\n[408508.143207]  sock_do_ioctl+0x3d/0xe0\n[408508.143652]  sock_ioctl+0x10e/0x330\n[408508.144091]  ? find_held_lock+0x2b/0x80\n[408508.144537]  __x64_sys_ioctl+0x96/0xe0\n[408508.144979]  do_syscall_64+0x79/0x3d0\n[408508.145415]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff","state":"PUBLISHED","assigner":"Linux","published_at":"2026-01-23 16:15:54","updated_at":"2026-04-02 12:16:18"},"problem_types":["CWE-476"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70","name":"https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3","name":"https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97","name":"https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22981","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22981","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0fe45467a1041ea3657a7fa3a791c84c104fbd34 9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0fe45467a1041ea3657a7fa3a791c84c104fbd34 ac122f5fb050903b3d262001562c452be95eaf70 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 0fe45467a1041ea3657a7fa3a791c84c104fbd34 2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.6 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"22981","cve":"CVE-2026-22981","epss":"0.000170000","percentile":"0.042700000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/intel/idpf/idpf_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97","status":"affected","version":"0fe45467a1041ea3657a7fa3a791c84c104fbd34","versionType":"git"},{"lessThan":"ac122f5fb050903b3d262001562c452be95eaf70","status":"affected","version":"0fe45467a1041ea3657a7fa3a791c84c104fbd34","versionType":"git"},{"lessThan":"2e281e1155fc476c571c0bd2ffbfe28ab829a5c3","status":"affected","version":"0fe45467a1041ea3657a7fa3a791c84c104fbd34","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/intel/idpf/idpf_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.7"},{"lessThan":"6.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.19","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.6","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19","versionStartIncluding":"6.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n<inf>\tUP\necho 1 > /sys/class/net/ens801f0/device/reset& \\\nethtool -L ens801f0 combined 8\nip -br a\n<inf>\tDOWN\nip link set <inf> up\nip -br a\n<inf>\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637]  <TASK>\n[408508.140077]  __dev_close_many+0xbb/0x260\n[408508.140533]  __dev_change_flags+0x1cf/0x280\n[408508.140987]  netif_change_flags+0x26/0x70\n[408508.141434]  dev_change_flags+0x3d/0xb0\n[408508.141878]  devinet_ioctl+0x460/0x890\n[408508.142321]  inet_ioctl+0x18e/0x1d0\n[408508.142762]  ? _copy_to_user+0x22/0x70\n[408508.143207]  sock_do_ioctl+0x3d/0xe0\n[408508.143652]  sock_ioctl+0x10e/0x330\n[408508.144091]  ? find_held_lock+0x2b/0x80\n[408508.144537]  __x64_sys_ioctl+0x96/0xe0\n[408508.144979]  do_syscall_64+0x79/0x3d0\n[408508.145415]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff"}],"providerMetadata":{"dateUpdated":"2026-04-02T11:30:47.183Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/9ad3d0836d8bc1a0f0b4bf56efc56312a9e64b97"},{"url":"https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70"},{"url":"https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3"}],"title":"idpf: detach and close netdevs while handling a reset","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-22981","datePublished":"2026-01-23T15:24:03.772Z","dateReserved":"2026-01-13T15:37:45.936Z","dateUpdated":"2026-04-02T11:30:47.183Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-23 16:15:54","lastModifiedDate":"2026-04-02 12:16:18","problem_types":["CWE-476"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.18.6","matchCriteriaId":"C006C634-C236-4B4B-B7FA-AF44C3098505"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22981","Ordinal":"1","Title":"idpf: detach and close netdevs while handling a reset","CVE":"CVE-2026-22981","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22981","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: detach and close netdevs while handling a reset\n\nProtect the reset path from callbacks by setting the netdevs to detached\nstate and close any netdevs in UP state until the reset handling has\ncompleted. During a reset, the driver will de-allocate resources for the\nvport, and there is no guarantee that those will recover, which is why the\nexisting vport_ctrl_lock does not provide sufficient protection.\n\nidpf_detach_and_close() is called right before reset handling. If the\nreset handling succeeds, the netdevs state is recovered via call to\nidpf_attach_and_open(). If the reset handling fails the netdevs remain\ndown. The detach/down calls are protected with RTNL lock to avoid racing\nwith callbacks. On the recovery side the attach can be done without\nholding the RTNL lock as there are no callbacks expected at that point,\ndue to detach/close always being done first in that flow.\n\nThe previous logic restoring the netdevs state based on the\nIDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence\nthe removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is\nstill being used to restore the state of the netdevs following the reset,\nbut has no use outside of the reset handling flow.\n\nidpf_init_hard_reset() is converted to void, since it was used as such and\nthere is no error handling being done based on its return value.\n\nBefore this change, invoking hard and soft resets simultaneously will\ncause the driver to lose the vport state:\nip -br a\n<inf>\tUP\necho 1 > /sys/class/net/ens801f0/device/reset& \\\nethtool -L ens801f0 combined 8\nip -br a\n<inf>\tDOWN\nip link set <inf> up\nip -br a\n<inf>\tDOWN\n\nAlso in case of a failure in the reset path, the netdev is left\nexposed to external callbacks, while vport resources are not\ninitialized, leading to a crash on subsequent ifup/down:\n[408471.398966] idpf 0000:83:00.0: HW reset detected\n[408471.411744] idpf 0000:83:00.0: Device HW Reset initiated\n[408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device's firmware. Check that the FW is running. Driver state= 0x2\n[408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078\n[408508.126112] #PF: supervisor read access in kernel mode\n[408508.126687] #PF: error_code(0x0000) - not-present page\n[408508.127256] PGD 2aae2f067 P4D 0\n[408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI\n...\n[408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf]\n...\n[408508.139193] Call Trace:\n[408508.139637]  <TASK>\n[408508.140077]  __dev_close_many+0xbb/0x260\n[408508.140533]  __dev_change_flags+0x1cf/0x280\n[408508.140987]  netif_change_flags+0x26/0x70\n[408508.141434]  dev_change_flags+0x3d/0xb0\n[408508.141878]  devinet_ioctl+0x460/0x890\n[408508.142321]  inet_ioctl+0x18e/0x1d0\n[408508.142762]  ? _copy_to_user+0x22/0x70\n[408508.143207]  sock_do_ioctl+0x3d/0xe0\n[408508.143652]  sock_ioctl+0x10e/0x330\n[408508.144091]  ? find_held_lock+0x2b/0x80\n[408508.144537]  __x64_sys_ioctl+0x96/0xe0\n[408508.144979]  do_syscall_64+0x79/0x3d0\n[408508.145415]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[408508.145860] RIP: 0033:0x7f3e0bb4caff","Type":"Description","Title":"idpf: detach and close netdevs while handling a reset"}]}}}