Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AC:H applied because exploitation requires a non-attacker-controlled PM resume failure precondition; all other metrics align with the provided vector.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
net: mana: Guard mana_remove against double invocation
If PM resume fails (e.g., mana_attach() returns an error), mana_probe() calls mana_remove(), which tears down the device and sets gd->gdma_context = NULL and gd->driver_data = NULL.
However, a failed resume callback does not automatically unbind the driver. When the device is eventually unbound, mana_remove() is invoked a second time. Without a NULL check, it dereferences gc->dev with gc == NULL, causing a kernel panic.
Add an early return if gdma_context or driver_data is NULL so the second invocation is harmless. Move the dev = gc->dev assignment after the guard so it cannot dereference NULL.
AnalysisAI
Kernel panic via NULL pointer dereference in the Linux kernel MANA (Microsoft Azure Network Adapter) driver allows a local low-privileged user to crash the host when a power management resume failure leaves the driver in a torn-down state. The mana_remove() function is invoked twice - first during a failed mana_probe() recovery path that nullifies gdma_context and driver_data, and again when the driver is subsequently unbound - dereferencing a NULL gc pointer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) the target system must be a Linux VM running on Microsoft Azure using the MANA virtual NIC driver (not present on physical hardware or non-Azure hypervisors); (2) a power management resume failure must occur - specifically, mana_attach() must return an error during PM resume - which sets gdma_context to NULL via the mana_probe() error path; (3) after this failure, the MANA driver must be unbound (e.g., via driver reload, device hotplug removal, or VM lifecycle operations) to trigger the second mana_remove() invocation; (4) local access with at least low-privilege credentials (PR:L per CVSS) is required to be present on the system, though the PM failure itself may be environmental rather than attacker-triggered. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low despite a CVSS availability impact of High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on an Azure Linux VM with the MANA virtual NIC encounters (or induces) a PM resume failure - for example, by triggering a suspend/resume cycle during a transient network configuration error that causes mana_attach() to return an error. The kernel's mana_probe() error path then calls mana_remove(), nullifying gdma_context. … |
| Remediation | Upgrade to Linux kernel 6.18.33, 7.0.10, or 7.1 where the NULL guard in mana_remove() has been applied; patch commits are confirmed at the three kernel.org stable links in the references. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39902
GHSA-43rv-4q7x-r3cg