Skip to main content

Linux Kernel CVE-2026-46287

| EUVDEUVD-2026-35152 MEDIUM
Reachable Assertion (CWE-617)
2026-06-08 Linux GHSA-pqmq-qjcg-mw2v
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Module removal requires CAP_SYS_MODULE (effectively root), warranting PR:H over the reported PR:L; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 19:13 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

net: txgbe: fix RTNL assertion warning when remove module

For the copper NIC with external PHY, the driver called phylink_connect_phy() during probe and phylink_disconnect_phy() during remove. It caused an RTNL assertion warning in phylink_disconnect_phy() upon module remove.

To fix this, add rtnl_lock() and rtnl_unlock() around the phylink_disconnect_phy() in remove function.

------------[ cut here ]------------ RTNL: assertion failed at drivers/net/phy/phylink.c (2351) WARNING: drivers/net/phy/phylink.c:2351 at phylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464 Modules linked in: ... CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+ Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink] Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7 48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 <67> 48 0f b9 3a e9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000 RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020 RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000 R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348 FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> txgbe_remove_phy+0xbb/0xd0 [txgbe] txgbe_remove+0x4c/0xb0 [txgbe] pci_device_remove+0x41/0xb0 device_remove+0x43/0x80 device_release_driver_internal+0x206/0x270 driver_detach+0x4a/0xa0 bus_remove_driver+0x83/0x120 driver_unregister+0x2f/0x60 pci_unregister_driver+0x40/0x90 txgbe_driver_exit+0x10/0x850 [txgbe] __do_sys_delete_module.isra.0+0x1c3/0x2f0 __x64_sys_delete_module+0x12/0x20 x64_sys_call+0x20c3/0x2390 do_syscall_64+0x11c/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x15a/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_fault+0x312/0x580 ? srso_alias_return_thunk+0x5/0xfbef5 ? __handle_mm_fault+0x9d5/0x1040 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events+0x101/0x1d0 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1e8/0x2f0 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x2f8/0x820 ? srso_alias_return_thunk+0x5/0xfbef5 ? irqentry_exit+0xb2/0x600 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

AnalysisAI

Missing RTNL lock acquisition in the txgbe network driver causes a kernel assertion warning during module removal on systems with Wangxun copper NICs with external PHY. When rmmod txgbe is executed, phylink_disconnect_phy() fires an ASSERT_RTNL() check at drivers/net/phy/phylink.c:2351 because the driver's remove path neglects to hold the RTNL mutex, producing a kernel WARNING and degrading system availability. No public exploit exists and EPSS is 0.02% (5th percentile); this is a stability regression rather than a remotely exploitable flaw, affecting a narrow hardware-specific code path.

Technical ContextAI

The txgbe driver manages Wangxun 10GbE copper NICs that rely on an external PHY, bridged through the Linux phylink subsystem. During probe, phylink_connect_phy() is called, but during module removal phylink_disconnect_phy() is invoked in txgbe_remove_phy() without the caller holding the RTNL (Routing Netlink) semaphore - a global networking lock that phylink mandates for PHY connect/disconnect operations. CWE-617 (Reachable Assertion) precisely characterizes the root cause: an internal kernel consistency check (WARN_ON(!rtnl_is_locked())) that is reachable from a normal privileged user action (module removal), producing an exploitable denial-of-service path through an otherwise unreachable code branch. Affected CPE: cpe:2.3:a:linux:linux:*. The EUVD confirms the introducing commit is 02b2a6f91b9042552bc3aa728622bda97e3916fa.

RemediationAI

The primary remediation is to upgrade to a patched kernel: 6.6.140, 6.12.88, 6.18.27, 7.0.4, or 7.1-rc1 or later. Upstream fix commits are available from kernel.org stable at https://git.kernel.org/stable/c/0305e7118451c7c363c18f8113b0d8e0077ffa4c (6.6 branch), https://git.kernel.org/stable/c/3e223a7fd41ce6fffdb10577df9350385262bf33, https://git.kernel.org/stable/c/d29cafc7e4ee9e28a150ba17e9a565ec5d881fbc, https://git.kernel.org/stable/c/6c5ec52c68a6a442c8a159615ae092512562318a, and https://git.kernel.org/stable/c/e159f05e12cc1111a3103b99375ddf0dfd0e7d63. Ubuntu users should apply USN-8489-1 and USN-8488-1. As a workaround on unpatched systems, avoid unloading the txgbe module on affected hardware (i.e., do not run rmmod txgbe or trigger driver unbind via sysfs); this prevents the assertion but eliminates the ability to dynamically manage the driver. No network-reachable workaround is needed as the vector is strictly local.

Share

CVE-2026-46287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy