{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23203","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.986Z","datePublished":"2026-02-14T16:27:27.048Z","dateUpdated":"2026-05-11T22:02:19.074Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:19.074Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don't hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n  WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496\n  RTNL: assertion failed at net/8021q/vlan_core.c (236)\n  Modules linked in:\n  CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT\n  Hardware name: Generic AM33XX (Flattened Device Tree)\n  Call trace:\n   unwind_backtrace from show_stack+0x28/0x2c\n   show_stack from dump_stack_lvl+0x30/0x38\n   dump_stack_lvl from __warn+0xb8/0x11c\n   __warn from warn_slowpath_fmt+0x130/0x194\n   warn_slowpath_fmt from vlan_for_each+0x120/0x124\n   vlan_for_each from cpsw_add_mc_addr+0x54/0xd8\n   cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n   __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n   __dev_mc_add from igmp6_group_added+0x84/0xec\n   igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n   __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n   __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n   do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n   ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n   do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n   __sys_setsockopt from ret_fast_syscall+0x0/0x5\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/ti/cpsw_new.c","drivers/net/ethernet/ti/cpsw_priv.h"],"versions":[{"version":"1767bb2d47b715a106287a8f963d9ec6cbab4e69","lessThan":"d5b3a669866977dc87fd56fcf00a70df1536d258","status":"affected","versionType":"git"},{"version":"1767bb2d47b715a106287a8f963d9ec6cbab4e69","lessThan":"c0b5dc73a38f954e780f93a549b8fe225235c07a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/ti/cpsw_new.c","drivers/net/ethernet/ti/cpsw_priv.h"],"versions":[{"version":"6.17","status":"affected"},{"version":"0","lessThan":"6.17","status":"unaffected","versionType":"semver"},{"version":"6.18.10","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.17","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258"},{"url":"https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a"}],"title":"net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue","x_generator":{"engine":"bippy-1.2.0"}}}}