{"api_version":"1","generated_at":"2026-04-15T06:34:50+00:00","cve":"CVE-2026-23438","urls":{"html":"https://cve.report/CVE-2026-23438","api":"https://cve.report/api/cve/CVE-2026-23438.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23438","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23438"},"summary":{"title":"net: mvpp2: guard flow control update with global_tx_fc in buffer switching","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n  Unable to handle kernel NULL pointer dereference at\n  virtual address 0000000000000000\n  Mem abort info:\n    ESR = 0x0000000096000006\n    EC = 0x25: DABT (current EL), IL = 32 bits\n  pc : readl+0x0/0x18\n  lr : mvpp2_cm3_read.isra.0+0x14/0x20\n  Call trace:\n   readl+0x0/0x18\n   mvpp2_bm_pool_update_fc+0x40/0x12c\n   mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n   mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n   mvpp2_change_mtu+0x140/0x380\n   __dev_set_mtu+0x1c/0x38\n   dev_set_mtu_ext+0x78/0x118\n   dev_set_mtu+0x48/0xa8\n   dev_ifsioc+0x21c/0x43c\n   dev_ioctl+0x2d8/0x42c\n   sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-04-03 16:16:25","updated_at":"2026-04-07 13:21:09"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723","name":"https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f","name":"https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29","name":"https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9","name":"https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f","name":"https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750","name":"https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23438","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23438","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a da089f74a993f846685067b14158cb41b879ff29 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a ff0c54f088f7ab91dbbf47cf8244460f99122750 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a 7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a 7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a 8baced53a35fc9710f80d6ca016a2c418dc3231f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3a616b92a9d17448d96a33bf58e69f01457fd43a 8a63baadf08453f66eb582fdb6dd234f72024723 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.12","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.12 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.167 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.130 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.78 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.20 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.10 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0-rc5 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23438","cve":"CVE-2026-23438","epss":"0.000240000","percentile":"0.066190000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"da089f74a993f846685067b14158cb41b879ff29","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"},{"lessThan":"ff0c54f088f7ab91dbbf47cf8244460f99122750","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"},{"lessThan":"7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"},{"lessThan":"7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"},{"lessThan":"8baced53a35fc9710f80d6ca016a2c418dc3231f","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"},{"lessThan":"8a63baadf08453f66eb582fdb6dd234f72024723","status":"affected","version":"3a616b92a9d17448d96a33bf58e69f01457fd43a","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.12"},{"lessThan":"5.12","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.167","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.130","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.78","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.20","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0-rc5","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.167","versionStartIncluding":"5.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.130","versionStartIncluding":"5.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.78","versionStartIncluding":"5.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.20","versionStartIncluding":"5.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.10","versionStartIncluding":"5.12","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0-rc5","versionStartIncluding":"5.12","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n  Unable to handle kernel NULL pointer dereference at\n  virtual address 0000000000000000\n  Mem abort info:\n    ESR = 0x0000000096000006\n    EC = 0x25: DABT (current EL), IL = 32 bits\n  pc : readl+0x0/0x18\n  lr : mvpp2_cm3_read.isra.0+0x14/0x20\n  Call trace:\n   readl+0x0/0x18\n   mvpp2_bm_pool_update_fc+0x40/0x12c\n   mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n   mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n   mvpp2_change_mtu+0x140/0x380\n   __dev_set_mtu+0x1c/0x38\n   dev_set_mtu_ext+0x78/0x118\n   dev_set_mtu+0x48/0xa8\n   dev_ifsioc+0x21c/0x43c\n   dev_ioctl+0x2d8/0x42c\n   sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver."}],"providerMetadata":{"dateUpdated":"2026-04-03T15:15:22.701Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/da089f74a993f846685067b14158cb41b879ff29"},{"url":"https://git.kernel.org/stable/c/ff0c54f088f7ab91dbbf47cf8244460f99122750"},{"url":"https://git.kernel.org/stable/c/7bd20f4b3ef3044dc55acd5b8ef748a70d29d03f"},{"url":"https://git.kernel.org/stable/c/7df2b50cae1a76cbb90b294f3edb61e3e10bf2e9"},{"url":"https://git.kernel.org/stable/c/8baced53a35fc9710f80d6ca016a2c418dc3231f"},{"url":"https://git.kernel.org/stable/c/8a63baadf08453f66eb582fdb6dd234f72024723"}],"title":"net: mvpp2: guard flow control update with global_tx_fc in buffer switching","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23438","datePublished":"2026-04-03T15:15:22.701Z","dateReserved":"2026-01-13T15:37:46.017Z","dateUpdated":"2026-04-03T15:15:22.701Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-03 16:16:25","lastModifiedDate":"2026-04-07 13:21:09","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23438","Ordinal":"1","Title":"net: mvpp2: guard flow control update with global_tx_fc in buffe","CVE":"CVE-2026-23438","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23438","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mvpp2: guard flow control update with global_tx_fc in buffer switching\n\nmvpp2_bm_switch_buffers() unconditionally calls\nmvpp2_bm_pool_update_priv_fc() when switching between per-cpu and\nshared buffer pool modes. This function programs CM3 flow control\nregisters via mvpp2_cm3_read()/mvpp2_cm3_write(), which dereference\npriv->cm3_base without any NULL check.\n\nWhen the CM3 SRAM resource is not present in the device tree (the\nthird reg entry added by commit 60523583b07c (\"dts: marvell: add CM3\nSRAM memory to cp11x ethernet device tree\")), priv->cm3_base remains\nNULL and priv->global_tx_fc is false. Any operation that triggers\nmvpp2_bm_switch_buffers(), for example an MTU change that crosses\nthe jumbo frame threshold, will crash:\n\n  Unable to handle kernel NULL pointer dereference at\n  virtual address 0000000000000000\n  Mem abort info:\n    ESR = 0x0000000096000006\n    EC = 0x25: DABT (current EL), IL = 32 bits\n  pc : readl+0x0/0x18\n  lr : mvpp2_cm3_read.isra.0+0x14/0x20\n  Call trace:\n   readl+0x0/0x18\n   mvpp2_bm_pool_update_fc+0x40/0x12c\n   mvpp2_bm_pool_update_priv_fc+0x94/0xd8\n   mvpp2_bm_switch_buffers.isra.0+0x80/0x1c0\n   mvpp2_change_mtu+0x140/0x380\n   __dev_set_mtu+0x1c/0x38\n   dev_set_mtu_ext+0x78/0x118\n   dev_set_mtu+0x48/0xa8\n   dev_ifsioc+0x21c/0x43c\n   dev_ioctl+0x2d8/0x42c\n   sock_ioctl+0x314/0x378\n\nEvery other flow control call site in the driver already guards\nhardware access with either priv->global_tx_fc or port->tx_fc.\nmvpp2_bm_switch_buffers() is the only place that omits this check.\n\nAdd the missing priv->global_tx_fc guard to both the disable and\nre-enable calls in mvpp2_bm_switch_buffers(), consistent with the\nrest of the driver.","Type":"Description","Title":"net: mvpp2: guard flow control update with global_tx_fc in buffe"}]}}}