{"api_version":"1","generated_at":"2026-05-13T07:41:17+00:00","cve":"CVE-2026-23353","urls":{"html":"https://cve.report/CVE-2026-23353","api":"https://cve.report/api/cve/CVE-2026-23353.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23353","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23353"},"summary":{"title":"ice: fix crash in ethtool offline loopback test","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS:  00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ice_vsi_cfg_rxq+0xca/0x460 [ice]\n  ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n  ice_loopback_test+0xa9/0x520 [ice]\n  ice_self_test+0x1b9/0x280 [ice]\n  ethtool_self_test+0xe5/0x200\n  __dev_ethtool+0x1106/0x1a90\n  dev_ethtool+0xbe/0x1a0\n  dev_ioctl+0x258/0x4c0\n  sock_do_ioctl+0xe3/0x130\n  __x64_sys_ioctl+0xb9/0x100\n  do_syscall_64+0x7c/0x700\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create().","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:33","updated_at":"2026-04-24 17:45:52"},"problem_types":["CWE-476"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f","name":"https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18","name":"https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23353","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23353","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 93f53db9f9dc4a16b40ecd18e6d338ad57e4b670 85c98b81849e4724ae99005a6cccd33cab9cfd18 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 93f53db9f9dc4a16b40ecd18e6d338ad57e4b670 a9c354e656597aededa027d63d2ff0973f6b033f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"6.19","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23353","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23353","cve":"CVE-2026-23353","epss":"0.000170000","percentile":"0.040020000","score_date":"2026-04-26","updated_at":"2026-04-27 00:09:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/intel/ice/ice_base.c","drivers/net/ethernet/intel/ice/ice_ethtool.c","drivers/net/ethernet/intel/ice/ice_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"85c98b81849e4724ae99005a6cccd33cab9cfd18","status":"affected","version":"93f53db9f9dc4a16b40ecd18e6d338ad57e4b670","versionType":"git"},{"lessThan":"a9c354e656597aededa027d63d2ff0973f6b033f","status":"affected","version":"93f53db9f9dc4a16b40ecd18e6d338ad57e4b670","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/intel/ice/ice_base.c","drivers/net/ethernet/intel/ice/ice_ethtool.c","drivers/net/ethernet/intel/ice/ice_lib.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.19"},{"lessThan":"6.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"6.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS:  00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ice_vsi_cfg_rxq+0xca/0x460 [ice]\n  ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n  ice_loopback_test+0xa9/0x520 [ice]\n  ice_self_test+0x1b9/0x280 [ice]\n  ethtool_self_test+0xe5/0x200\n  __dev_ethtool+0x1106/0x1a90\n  dev_ethtool+0xbe/0x1a0\n  dev_ioctl+0x258/0x4c0\n  sock_do_ioctl+0xe3/0x130\n  __x64_sys_ioctl+0xb9/0x100\n  do_syscall_64+0x7c/0x700\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create()."}],"providerMetadata":{"dateUpdated":"2026-04-13T06:05:37.933Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18"},{"url":"https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f"}],"title":"ice: fix crash in ethtool offline loopback test","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23353","datePublished":"2026-03-25T10:27:38.167Z","dateReserved":"2026-01-13T15:37:46.000Z","dateUpdated":"2026-04-13T06:05:37.933Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:33","lastModifiedDate":"2026-04-24 17:45:52","problem_types":["CWE-476"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19.1","versionEndExcluding":"6.19.7","matchCriteriaId":"8ACF56ED-6FE0-41DE-BECE-41134CC7BD44"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*","matchCriteriaId":"35C8A871-4971-433E-A046-FC9F7B7D190A"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23353","Ordinal":"1","Title":"ice: fix crash in ethtool offline loopback test","CVE":"CVE-2026-23353","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23353","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 <89> 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS:  00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n  <TASK>\n  ice_vsi_cfg_rxq+0xca/0x460 [ice]\n  ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n  ice_loopback_test+0xa9/0x520 [ice]\n  ice_self_test+0x1b9/0x280 [ice]\n  ethtool_self_test+0xe5/0x200\n  __dev_ethtool+0x1106/0x1a90\n  dev_ethtool+0xbe/0x1a0\n  dev_ioctl+0x258/0x4c0\n  sock_do_ioctl+0xe3/0x130\n  __x64_sys_ioctl+0xb9/0x100\n  do_syscall_64+0x7c/0x700\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() ->\nice_rxq_pp_create().","Type":"Description","Title":"ice: fix crash in ethtool offline loopback test"}]}}}