{"api_version":"1","generated_at":"2026-04-17T00:19:16+00:00","cve":"CVE-2026-22993","urls":{"html":"https://cve.report/CVE-2026-22993","api":"https://cve.report/api/cve/CVE-2026-22993.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-22993","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-22993"},"summary":{"title":"idpf: Fix RSS LUT NULL ptr issue after soft reset","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n<snip>\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793]  <TASK>\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\n[82375.558827]  rss_prepare_data+0x3a/0x50\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937]  netlink_rcv_skb+0x58/0x100\n[82375.558957]  genl_rcv+0x2c/0x50\n[82375.558971]  netlink_unicast+0x289/0x3e0\n[82375.558988]  netlink_sendmsg+0x215/0x440\n[82375.559005]  __sys_sendto+0x234/0x240\n[82375.559555]  __x64_sys_sendto+0x28/0x30\n[82375.560068]  x64_sys_call+0x1909/0x1da0\n[82375.560576]  do_syscall_64+0x7a/0xfa0\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<snip>","state":"PUBLISHED","assigner":"Linux","published_at":"2026-01-23 16:15:55","updated_at":"2026-04-02 12:16:19"},"problem_types":["CWE-476"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/a09380354d2f14759b9dd45de1bc2f6bf49e651b","name":"https://git.kernel.org/stable/c/a09380354d2f14759b9dd45de1bc2f6bf49e651b","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f","name":"https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196","name":"https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-22993","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22993","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb a09380354d2f14759b9dd45de1bc2f6bf49e651b git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb ebecca5b093895da801b3eba1a55b4ec4027d196 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.7","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.7 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.80 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.6 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"22993","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22993","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22993","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22993","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"22993","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"rc4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"22993","cve":"CVE-2026-22993","epss":"0.000170000","percentile":"0.042700000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:40"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/intel/idpf/idpf_lib.c","drivers/net/ethernet/intel/idpf/idpf_txrx.c","drivers/net/ethernet/intel/idpf/idpf_txrx.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"a09380354d2f14759b9dd45de1bc2f6bf49e651b","status":"affected","version":"02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb","versionType":"git"},{"lessThan":"ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f","status":"affected","version":"02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb","versionType":"git"},{"lessThan":"ebecca5b093895da801b3eba1a55b4ec4027d196","status":"affected","version":"02cbfba1add5bd9088c7d14c6b93b77a6ea8f3bb","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/intel/idpf/idpf_lib.c","drivers/net/ethernet/intel/idpf/idpf_txrx.c","drivers/net/ethernet/intel/idpf/idpf_txrx.h"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.7"},{"lessThan":"6.7","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.80","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"6.19","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.80","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.6","versionStartIncluding":"6.7","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19","versionStartIncluding":"6.7","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n<snip>\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793]  <TASK>\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\n[82375.558827]  rss_prepare_data+0x3a/0x50\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937]  netlink_rcv_skb+0x58/0x100\n[82375.558957]  genl_rcv+0x2c/0x50\n[82375.558971]  netlink_unicast+0x289/0x3e0\n[82375.558988]  netlink_sendmsg+0x215/0x440\n[82375.559005]  __sys_sendto+0x234/0x240\n[82375.559555]  __x64_sys_sendto+0x28/0x30\n[82375.560068]  x64_sys_call+0x1909/0x1da0\n[82375.560576]  do_syscall_64+0x7a/0xfa0\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<snip>"}],"providerMetadata":{"dateUpdated":"2026-04-02T11:30:50.312Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/a09380354d2f14759b9dd45de1bc2f6bf49e651b"},{"url":"https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f"},{"url":"https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196"}],"title":"idpf: Fix RSS LUT NULL ptr issue after soft reset","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-22993","datePublished":"2026-01-23T15:24:13.790Z","dateReserved":"2026-01-13T15:37:45.937Z","dateUpdated":"2026-04-02T11:30:50.312Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-01-23 16:15:55","lastModifiedDate":"2026-04-02 12:16:19","problem_types":["CWE-476"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.18.6","matchCriteriaId":"C006C634-C236-4B4B-B7FA-AF44C3098505"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*","matchCriteriaId":"17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*","matchCriteriaId":"C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*","matchCriteriaId":"F71D92C0-C023-48BD-B3B6-70B638EEE298"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*","matchCriteriaId":"13580667-0A98-40CC-B29F-D12790B91BDB"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"22993","Ordinal":"1","Title":"idpf: Fix RSS LUT NULL ptr issue after soft reset","CVE":"CVE-2026-22993","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"22993","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL ptr issue after soft reset\n\nDuring soft reset, the RSS LUT is freed and not restored unless the\ninterface is up. If an ethtool command that accesses the rss lut is\nattempted immediately after reset, it will result in NULL ptr\ndereference. Also, there is no need to reset the rss lut if the soft reset\ndoes not involve queue count change.\n\nAfter soft reset, set the RSS LUT to default values based on the updated\nqueue count only if the reset was a result of a queue count change and\nthe LUT was not configured by the user. In all other cases, don't touch\nthe LUT.\n\nSteps to reproduce:\n\n** Bring the interface down (if up)\nifconfig eth1 down\n\n** update the queue count (eg., 27->20)\nethtool -L eth1 combined 20\n\n** display the RSS LUT\nethtool -x eth1\n\n[82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[82375.558373] #PF: supervisor read access in kernel mode\n[82375.558391] #PF: error_code(0x0000) - not-present page\n[82375.558408] PGD 0 P4D 0\n[82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI\n<snip>\n[82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf]\n[82375.558786] Call Trace:\n[82375.558793]  <TASK>\n[82375.558804]  rss_prepare.isra.0+0x187/0x2a0\n[82375.558827]  rss_prepare_data+0x3a/0x50\n[82375.558845]  ethnl_default_doit+0x13d/0x3e0\n[82375.558863]  genl_family_rcv_msg_doit+0x11f/0x180\n[82375.558886]  genl_rcv_msg+0x1ad/0x2b0\n[82375.558902]  ? __pfx_ethnl_default_doit+0x10/0x10\n[82375.558920]  ? __pfx_genl_rcv_msg+0x10/0x10\n[82375.558937]  netlink_rcv_skb+0x58/0x100\n[82375.558957]  genl_rcv+0x2c/0x50\n[82375.558971]  netlink_unicast+0x289/0x3e0\n[82375.558988]  netlink_sendmsg+0x215/0x440\n[82375.559005]  __sys_sendto+0x234/0x240\n[82375.559555]  __x64_sys_sendto+0x28/0x30\n[82375.560068]  x64_sys_call+0x1909/0x1da0\n[82375.560576]  do_syscall_64+0x7a/0xfa0\n[82375.561076]  ? clear_bhb_loop+0x60/0xb0\n[82375.561567]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n<snip>","Type":"Description","Title":"idpf: Fix RSS LUT NULL ptr issue after soft reset"}]}}}