Skip to main content

Linux Kernel CVE-2026-46249

| EUVDEUVD-2026-34111 MEDIUM
2026-06-03 Linux GHSA-4h78-p5vg-qg6m
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 09, 2026 - 20:58 vuln.today
CVSS changed
Jun 09, 2026 - 20:52 NVD
5.5 (MEDIUM)
Patch available
Jun 03, 2026 - 19:01 EUVD
CVE Published
Jun 03, 2026 - 15:49 nvd
MEDIUM 5.5
CVE Published
Jun 03, 2026 - 15:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

octeontx2-af: Fix PF driver crash with kexec kernel booting

During a kexec reboot the hardware is not power-cycled, so AF state from the old kernel can persist into the new kernel. When AF and PF drivers are built as modules, the PF driver may probe before AF reinitializes the hardware.

The PF driver treats the RVUM block revision as an indication that AF initialization is complete. If this value is left uncleared at shutdown, PF may incorrectly assume AF is ready and access stale hardware state, leading to a crash.

Clear the RVUM block revision during AF shutdown to avoid PF mis-detecting AF readiness after kexec.

AnalysisAI

Kernel crash in the Linux octeontx2-af driver exposes Marvell OcteonTX2 systems to a denial-of-service condition triggered by kexec reboots when both AF and PF drivers are loaded as modules. Because kexec does not power-cycle hardware, the RVUM block revision register retains its pre-reboot value; the PF driver misinterprets this stale register value as confirmation that AF initialization is complete and proceeds to access hardware state that has not yet been reinitialized in the new kernel, producing a kernel panic. No public exploit exists and EPSS is 0.02% (7th percentile), confirming this is a niche reliability defect in a specific hardware/driver configuration rather than an adversarially weaponizable flaw.

Technical ContextAI

The vulnerability resides in the octeontx2-af (OcteonTX2 Admin Function) subsystem of the Linux kernel, which manages Marvell OcteonTX2 network SoC hardware - typically found in high-performance networking and cloud infrastructure platforms. The affected CPE is cpe:2.3:a:linux:linux across multiple stable branches. The RVUM (Resource and Virtualization Unit Manager) block revision register serves as an implicit readiness signal between the AF (Admin Function) and PF (Physical Function) drivers; a non-zero value is treated by PF as proof that AF has completed hardware initialization. Under kexec - a Linux mechanism to chain-load a new kernel without a full hardware power cycle, commonly used for crash dumps (kdump) and live kernel patching - hardware registers are not reset. Because the AF driver failed to zero the RVUM block revision register at shutdown, the new kernel's PF driver reads the stale value, incorrectly assumes AF readiness, and dereferences uninitialized state. No CWE was formally assigned; the root cause class is improper hardware state cleanup on shutdown, analogous to CWE-672 (Operation on a Resource after Expiration or Release) or CWE-908 (Use of Uninitialized Resource). The fix clears the RVUM block revision during AF shutdown to break the false-positive readiness signal.

RemediationAI

Upgrade to a patched kernel version for the applicable stable branch: 5.10.252+ (5.10.x), 5.15.202+ (5.15.x), 6.1.165+ (6.1.x), 6.6.128+ (6.6.x), 6.12.75+ (6.12.x), 6.18.14+ (6.18.x), 6.19.4+ (6.19.x), or 7.0+ (mainline). Upstream fix commits are available at https://git.kernel.org/stable/c/b7605b9301abc18fbbf2b0e23fdd281fc768955d and the related per-branch commits listed in the references. As a compensating control for systems that cannot be patched immediately, disabling kexec-based reboot workflows (kdump, live patching) eliminates the vulnerable code path entirely; the trade-off is loss of crash dump capture capability and live kernel patching, which may affect operational resilience and supportability SLAs. Alternatively, building the octeontx2-af and octeontx2-pf drivers directly into the kernel image (CONFIG_OCTEONTX2_AF=y, CONFIG_OCTEONTX2_PF=y) rather than as loadable modules may alter probe ordering and avoid the race condition, though this is not a confirmed upstream-endorsed workaround and introduces its own trade-offs in kernel image size and module management flexibility.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-46249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy