{"id":"CVE-2026-23353","summary":"ice: fix crash in ethtool offline loopback test","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash in ethtool offline loopback test\n\nSince the conversion of ice to page pool, the ethtool loopback test\ncrashes:\n\n BUG: kernel NULL pointer dereference, address: 000000000000000c\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 1100f1067 P4D 0\n Oops: Oops: 0002 [#1] SMP NOPTI\n CPU: 23 UID: 0 PID: 5904 Comm: ethtool Kdump: loaded Not tainted 6.19.0-0.rc7.260128g1f97d9dcf5364.49.eln154.x86_64 #1 PREEMPT(lazy)\n Hardware name: [...]\n RIP: 0010:ice_alloc_rx_bufs+0x1cd/0x310 [ice]\n Code: 83 6c 24 30 01 66 41 89 47 08 0f 84 c0 00 00 00 41 0f b7 dc 48 8b 44 24 18 48 c1 e3 04 41 bb 00 10 00 00 48 8d 2c 18 8b 04 24 \u003c89\u003e 45 0c 41 8b 4d 00 49 d3 e3 44 3b 5c 24 24 0f 83 ac fe ff ff 44\n RSP: 0018:ff7894738aa1f768 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000700 RDI: 0000000000000000\n RBP: 0000000000000000 R08: ff16dcae79880200 R09: 0000000000000019\n R10: 0000000000000001 R11: 0000000000001000 R12: 0000000000000000\n R13: 0000000000000000 R14: 0000000000000000 R15: ff16dcae6c670000\n FS:  00007fcf428850c0(0000) GS:ff16dcb149710000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000000c CR3: 0000000121227005 CR4: 0000000000773ef0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ice_vsi_cfg_rxq+0xca/0x460 [ice]\n  ice_vsi_cfg_rxqs+0x54/0x70 [ice]\n  ice_loopback_test+0xa9/0x520 [ice]\n  ice_self_test+0x1b9/0x280 [ice]\n  ethtool_self_test+0xe5/0x200\n  __dev_ethtool+0x1106/0x1a90\n  dev_ethtool+0xbe/0x1a0\n  dev_ioctl+0x258/0x4c0\n  sock_do_ioctl+0xe3/0x130\n  __x64_sys_ioctl+0xb9/0x100\n  do_syscall_64+0x7c/0x700\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  [...]\n\nIt crashes because we have not initialized libeth for the rx ring.\n\nFix it by treating ICE_VSI_LB VSIs slightly more like normal PF VSIs and\nletting them have a q_vector. It's just a dummy, because the loopback\ntest does not use interrupts, but it contains a napi struct that can be\npassed to libeth_rx_fq_create() called from ice_vsi_cfg_rxq() -\u003e\nice_rxq_pp_create().","modified":"2026-04-02T13:12:22.905983Z","published":"2026-03-25T10:27:38.167Z","database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23353.json"},"references":[{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85c98b81849e4724ae99005a6cccd33cab9cfd18"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a9c354e656597aededa027d63d2ff0973f6b033f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23353.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23353"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"93f53db9f9dc4a16b40ecd18e6d338ad57e4b670"},{"fixed":"85c98b81849e4724ae99005a6cccd33cab9cfd18"},{"fixed":"a9c354e656597aededa027d63d2ff0973f6b033f"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23353.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23353.json"}}],"schema_version":"1.7.5"}