Skip to main content

Linux Kernel EUVDEUVD-2026-26611

| CVE-2026-43012 MEDIUM
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 20:37 vuln.today
CVSS changed
May 07, 2026 - 20:37 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:33 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26611
CVE Published
May 01, 2026 - 14:15 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5: Fix switchdev mode rollback in case of failure

If for some internal reason switchdev mode fails, we rollback to legacy mode, before this patch, rollback will unregister the uplink netdev and leave it unregistered causing the below kernel bug.

To fix this, we need to avoid netdev unregister by setting the proper rollback flag 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to indicate legacy mode.

devlink (431) used greatest stack depth: 11048 bytes left mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), \ necvfs(0), active vports(0) mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload mlx5_core 0000:00:03.0: Loading uplink representor for vport 65535 mlx5_core 0000:00:03.0: mlx5_cmd_out_err:816:(pid 456): \ QUERY_HCA_CAP(0x100) op_mod(0x0) failed, \ status bad parameter(0x3), syndrome (0x3a3846), err(-22) mlx5_core 0000:00:03.0 enp0s3np0 (unregistered): Unloading uplink \ representor for vport 65535 ------------[ cut here ]------------ kernel BUG at net/core/dev.c:12070! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 456 Comm: devlink Not tainted 6.16.0-rc3+ \ #9 PREEMPT(voluntary) RIP: 0010:unregister_netdevice_many_notify+0x123/0xae0 ... Call Trace: [ 90.923094] unregister_netdevice_queue+0xad/0xf0 [ 90.923323] unregister_netdev+0x1c/0x40 [ 90.923522] mlx5e_vport_rep_unload+0x61/0xc6 [ 90.923736] esw_offloads_enable+0x8e6/0x920 [ 90.923947] mlx5_eswitch_enable_locked+0x349/0x430 [ 90.924182] ? is_mp_supported+0x57/0xb0 [ 90.924376] mlx5_devlink_eswitch_mode_set+0x167/0x350 [ 90.924628] devlink_nl_eswitch_set_doit+0x6f/0xf0 [ 90.924862] genl_family_rcv_msg_doit+0xe8/0x140 [ 90.925088] genl_rcv_msg+0x18b/0x290 [ 90.925269] ? __pfx_devlink_nl_pre_doit+0x10/0x10 [ 90.925506] ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 [ 90.925766] ? __pfx_devlink_nl_post_doit+0x10/0x10 [ 90.926001] ? __pfx_genl_rcv_msg+0x10/0x10 [ 90.926206] netlink_rcv_skb+0x52/0x100 [ 90.926393] genl_rcv+0x28/0x40 [ 90.926557] netlink_unicast+0x27d/0x3d0 [ 90.926749] netlink_sendmsg+0x1f7/0x430 [ 90.926942] __sys_sendto+0x213/0x220 [ 90.927127] ? __sys_recvmsg+0x6a/0xd0 [ 90.927312] __x64_sys_sendto+0x24/0x30 [ 90.927504] do_syscall_64+0x50/0x1c0 [ 90.927687] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 90.927929] RIP: 0033:0x7f7d0363e047

AnalysisAI

A denial of service vulnerability in the Linux kernel's mlx5 (Mellanox/NVIDIA) network driver causes a kernel panic when switchdev mode initialization fails during rollback to legacy mode. A local unprivileged user on systems with affected mlx5 hardware can trigger improper netdevice unregistration, leading to a kernel BUG at net/core/dev.c:12070 and system crash. The vulnerability affects multiple stable kernel versions; vendor-released patches are available.

Technical ContextAI

The vulnerability exists in the mlx5 Ethernet driver's E-Switch (embedded switch) subsystem, which manages switchdev mode for network offloading. The mlx5 driver uses internal flags like 'MLX5_PRIV_FLAGS_SWITCH_LEGACY' to track operational modes. When switchdev mode enablement fails (e.g., due to hardware capability queries failing with QUERY_HCA_CAP errors), the driver's rollback code path incorrectly attempts to unregister the uplink network device representor without properly signaling that legacy mode should be retained. This causes the kernel to attempt netdevice unregistration on a device already marked as unregistered, triggering a BUG_ON() assertion in unregister_netdevice_many_notify(). The fix requires setting the MLX5_PRIV_FLAGS_SWITCH_LEGACY flag during rollback to prevent improper device state transitions.

RemediationAI

Vendor-released patches are available in Linux kernel stable versions 6.12.81, 6.18.22, 6.19.12, and 7.0. Upgrade to these patched versions or apply the upstream fix commits (2ebb13f3e8be0b61f72425b34cce60c8b6ad1891, e27153b2bd6e6699b544ac4dfa35d167bed5e642, 4363698838b7ec6e8d85b179495889aa7e522f91, 403186400a1a6166efe7031edc549c15fee4723f) backported to your kernel branch. For systems with mlx5 hardware unable to update immediately, restrict devlink eswitch mode configuration via access control (e.g., limit devlink command execution to trusted administrators only via sudo or AppArmor) to prevent untrusted users from triggering E-Switch mode transitions. This mitigates the local attack surface but does not fix the underlying bug. Patches may be obtained from https://git.kernel.org/stable/ or through your Linux distribution's security update channels.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy