Skip to main content

Linux Kernel EUVDEUVD-2026-28630

| CVE-2026-43346 MEDIUM
Reachable Assertion (CWE-617)
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-274m-pqm8-j3hc
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 15, 2026 - 19:39 vuln.today
CVSS changed
May 15, 2026 - 19:37 NVD
5.5 (MEDIUM)
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

ice: ptp: don't WARN when controlling PF is unavailable

In VFIO passthrough setups, it is possible to pass through only a PF which doesn't own the source timer. In that case the PTP controlling PF (adapter->ctrl_pf) is never initialized in the VM, so ice_get_ctrl_ptp() returns NULL and triggers WARN_ON() in ice_ptp_setup_pf().

Since this is an expected behavior in that configuration, replace WARN_ON() with an informational message and return -EOPNOTSUPP.

AnalysisAI

Local denial of service in Linux kernel PTP (Precision Time Protocol) driver for Intel Ethernet (ice) allows authenticated users with low privileges to crash the system when PF passthrough is configured without the controlling PF. The vulnerability is caused by improper null pointer handling (CWE-617) when ice_ptp_setup_pf() attempts to access an uninitialized PTP controlling PF in VFIO passthrough configurations. Affects Linux kernel 6.13 through 7.0-rc7. EPSS probability is very low (0.02%, 4th percentile) and no active exploitation has been reported. Patches are available in stable branches 6.18.24, 6.19.14, and mainline 7.0.

Technical ContextAI

The ice driver manages Intel Ethernet Network Adapters with PTP hardware timestamping support, critical for time-sensitive networking applications. In VFIO passthrough scenarios, virtual machines can be assigned individual physical functions (PFs) of SR-IOV-capable network adapters. The vulnerability arises when a VM receives a PF that does not own the hardware source timer required for PTP operations. The ice_ptp_setup_pf() function attempts to retrieve the controlling PF via ice_get_ctrl_ptp(), which returns NULL in this misconfigured state. The original code triggers WARN_ON() - a kernel assertion that generates log noise and can cause system instability. CWE-617 (Reachable Assertion) describes this exact pattern: program assertions that can be triggered by attacker-controlled conditions rather than only indicating genuine programmer errors. The fix replaces the WARN_ON() with a graceful -EOPNOTSUPP error return and informational logging, properly handling the expected configuration scenario.

RemediationAI

Upgrade to patched Linux kernel versions: 6.18.24 or later in the 6.18 stable series, 6.19.14 or later in the 6.19 stable series, or mainline kernel 7.0 or later. Patches are available at https://git.kernel.org/stable/c/e19675b384e9dcaca1bd5e4a67b8ad136eccfbe8 (6.18.24), https://git.kernel.org/stable/c/bb3f21edc7056cdf44a7f7bd7ba65af40741838c (6.19.14), and https://git.kernel.org/stable/c/c73f365707d3b1b78b7d16e1f029020d1ae50d0f (7.0). If immediate patching is not feasible, organizations can implement compensating controls by reconfiguring VFIO passthrough to ensure VMs receiving ice driver PFs also receive the controlling PF that owns the PTP source timer, or disable PTP functionality on passed-through PFs that lack controlling PF access. This workaround eliminates the vulnerable code path but sacrifices PTP timestamping capabilities in affected VMs, which may impact time-sensitive networking applications. Review VM passthrough configurations to identify affected deployments before applying workarounds, as most environments do not use this specific VFIO passthrough pattern.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28630 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy