{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23173","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.983Z","datePublished":"2026-02-14T16:01:34.842Z","dateUpdated":"2026-05-11T22:01:44.197Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:01:44.197Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: TC, delete flows only for existing peers\n\nWhen deleting TC steering flows, iterate only over actual devcom\npeers instead of assuming all possible ports exist. This avoids\ntouching non-existent peers and ensures cleanup is limited to\ndevices the driver is currently connected to.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000008\n #PF: supervisor write access in kernel mode\n #PF: error_code(0x0002) - not-present page\n PGD 133c8a067 P4D 0\n Oops: Oops: 0002 [#1] SMP\n CPU: 19 UID: 0 PID: 2169 Comm: tc Not tainted 6.18.0+ #156 NONE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n RIP: 0010:mlx5e_tc_del_fdb_peers_flow+0xbe/0x200 [mlx5_core]\n Code: 00 00 a8 08 74 a8 49 8b 46 18 f6 c4 02 74 9f 4c 8d bf a0 12 00 00 4c 89 ff e8 0e e7 96 e1 49 8b 44 24 08 49 8b 0c 24 4c 89 ff <48> 89 41 08 48 89 08 49 89 2c 24 49 89 5c 24 08 e8 7d ce 96 e1 49\n RSP: 0018:ff11000143867528 EFLAGS: 00010246\n RAX: 0000000000000000 RBX: dead000000000122 RCX: 0000000000000000\n RDX: ff11000143691580 RSI: ff110001026e5000 RDI: ff11000106f3d2a0\n RBP: dead000000000100 R08: 00000000000003fd R09: 0000000000000002\n R10: ff11000101c75690 R11: ff1100085faea178 R12: ff11000115f0ae78\n R13: 0000000000000000 R14: ff11000115f0a800 R15: ff11000106f3d2a0\n FS:  00007f35236bf740(0000) GS:ff110008dc809000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000008 CR3: 0000000157a01001 CR4: 0000000000373eb0\n Call Trace:\n  <TASK>\n  mlx5e_tc_del_flow+0x46/0x270 [mlx5_core]\n  mlx5e_flow_put+0x25/0x50 [mlx5_core]\n  mlx5e_delete_flower+0x2a6/0x3e0 [mlx5_core]\n  tc_setup_cb_reoffload+0x20/0x80\n  fl_reoffload+0x26f/0x2f0 [cls_flower]\n  ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n  ? mlx5e_tc_reoffload_flows_work+0xc0/0xc0 [mlx5_core]\n  tcf_block_playback_offloads+0x9e/0x1c0\n  tcf_block_unbind+0x7b/0xd0\n  tcf_block_setup+0x186/0x1d0\n  tcf_block_offload_cmd.isra.0+0xef/0x130\n  tcf_block_offload_unbind+0x43/0x70\n  __tcf_block_put+0x85/0x160\n  ingress_destroy+0x32/0x110 [sch_ingress]\n  __qdisc_destroy+0x44/0x100\n  qdisc_graft+0x22b/0x610\n  tc_get_qdisc+0x183/0x4d0\n  rtnetlink_rcv_msg+0x2d7/0x3d0\n  ? rtnl_calcit.isra.0+0x100/0x100\n  netlink_rcv_skb+0x53/0x100\n  netlink_unicast+0x249/0x320\n  ? __alloc_skb+0x102/0x1f0\n  netlink_sendmsg+0x1e3/0x420\n  __sock_sendmsg+0x38/0x60\n  ____sys_sendmsg+0x1ef/0x230\n  ? copy_msghdr_from_user+0x6c/0xa0\n  ___sys_sendmsg+0x7f/0xc0\n  ? ___sys_recvmsg+0x8a/0xc0\n  ? __sys_sendto+0x119/0x180\n  __sys_sendmsg+0x61/0xb0\n  do_syscall_64+0x55/0x640\n  entry_SYSCALL_64_after_hwframe+0x4b/0x53\n RIP: 0033:0x7f35238bb764\n Code: 15 b9 86 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d e5 08 0d 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 4c c3 0f 1f 00 55 48 89 e5 48 83 ec 20 89 55\n RSP: 002b:00007ffed4c35638 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n RAX: ffffffffffffffda RBX: 000055a2efcc75e0 RCX: 00007f35238bb764\n RDX: 0000000000000000 RSI: 00007ffed4c356a0 RDI: 0000000000000003\n RBP: 00007ffed4c35710 R08: 0000000000000010 R09: 00007f3523984b20\n R10: 0000000000000004 R11: 0000000000000202 R12: 00007ffed4c35790\n R13: 000000006947df8f R14: 000055a2efcc75e0 R15: 00007ffed4c35780"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"],"versions":[{"version":"9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6","lessThan":"62e1d8920f6920543f4b095a65fb964448c9901d","status":"affected","versionType":"git"},{"version":"9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6","lessThan":"2652e2f1253c53f9a3ce84cc972568b32c892734","status":"affected","versionType":"git"},{"version":"9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6","lessThan":"fdf8437016f578f18b160c6e14f13ab96bfbc3ba","status":"affected","versionType":"git"},{"version":"9be6c21fdcf8a7ec48262bb76f78c17ac2761ac6","lessThan":"f67666938ae626cbda63fbf5176b3583c07e7124","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/mellanox/mlx5/core/en_tc.c"],"versions":[{"version":"6.5","status":"affected"},{"version":"0","lessThan":"6.5","status":"unaffected","versionType":"semver"},{"version":"6.6.123","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.69","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.9","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.6.123"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.12.69"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.18.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.5","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/62e1d8920f6920543f4b095a65fb964448c9901d"},{"url":"https://git.kernel.org/stable/c/2652e2f1253c53f9a3ce84cc972568b32c892734"},{"url":"https://git.kernel.org/stable/c/fdf8437016f578f18b160c6e14f13ab96bfbc3ba"},{"url":"https://git.kernel.org/stable/c/f67666938ae626cbda63fbf5176b3583c07e7124"}],"title":"net/mlx5e: TC, delete flows only for existing peers","x_generator":{"engine":"bippy-1.2.0"}}}}