{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23210","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2026-01-13T15:37:45.986Z","datePublished":"2026-02-14T16:27:31.892Z","dateUpdated":"2026-05-11T22:02:27.163Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2026-05-11T22:02:27.163Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix PTP NULL pointer dereference during VSI rebuild\n\nFix race condition where PTP periodic work runs while VSI is being\nrebuilt, accessing NULL vsi->rx_rings.\n\nThe sequence was:\n1. ice_ptp_prepare_for_reset() cancels PTP work\n2. ice_ptp_rebuild() immediately queues PTP work\n3. VSI rebuild happens AFTER ice_ptp_rebuild()\n4. PTP work runs and accesses NULL vsi->rx_rings\n\nFix: Keep PTP work cancelled during rebuild, only queue it after\nVSI rebuild completes in ice_rebuild().\n\nAdded ice_ptp_queue_work() helper function to encapsulate the logic\nfor queuing PTP work, ensuring it's only queued when PTP is supported\nand the state is ICE_PTP_READY.\n\nError log:\n[  121.392544] ice 0000:60:00.1: PTP reset successful\n[  121.392692] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[  121.392712] #PF: supervisor read access in kernel mode\n[  121.392720] #PF: error_code(0x0000) - not-present page\n[  121.392727] PGD 0\n[  121.392734] Oops: Oops: 0000 [#1] SMP NOPTI\n[  121.392746] CPU: 8 UID: 0 PID: 1005 Comm: ice-ptp-0000:60 Tainted: G S                  6.19.0-rc6+ #4 PREEMPT(voluntary)\n[  121.392761] Tainted: [S]=CPU_OUT_OF_SPEC\n[  121.392773] RIP: 0010:ice_ptp_update_cached_phctime+0xbf/0x150 [ice]\n[  121.393042] Call Trace:\n[  121.393047]  <TASK>\n[  121.393055]  ice_ptp_periodic_work+0x69/0x180 [ice]\n[  121.393202]  kthread_worker_fn+0xa2/0x260\n[  121.393216]  ? __pfx_ice_ptp_periodic_work+0x10/0x10 [ice]\n[  121.393359]  ? __pfx_kthread_worker_fn+0x10/0x10\n[  121.393371]  kthread+0x10d/0x230\n[  121.393382]  ? __pfx_kthread+0x10/0x10\n[  121.393393]  ret_from_fork+0x273/0x2b0\n[  121.393407]  ? __pfx_kthread+0x10/0x10\n[  121.393417]  ret_from_fork_asm+0x1a/0x30\n[  121.393432]  </TASK>"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_main.c","drivers/net/ethernet/intel/ice/ice_ptp.c","drivers/net/ethernet/intel/ice/ice_ptp.h"],"versions":[{"version":"803bef817807d2d36c930dada20c96fffae0dd19","lessThan":"ba0c7fff6616025a7d3a9e887e7ce16b06dc34b9","status":"affected","versionType":"git"},{"version":"803bef817807d2d36c930dada20c96fffae0dd19","lessThan":"7565d4df66b6619b50dc36618d8b8f1787d77e19","status":"affected","versionType":"git"},{"version":"803bef817807d2d36c930dada20c96fffae0dd19","lessThan":"fc6f36eaaedcf4b81af6fe1a568f018ffd530660","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/ethernet/intel/ice/ice_main.c","drivers/net/ethernet/intel/ice/ice_ptp.c","drivers/net/ethernet/intel/ice/ice_ptp.h"],"versions":[{"version":"6.9","status":"affected"},{"version":"0","lessThan":"6.9","status":"unaffected","versionType":"semver"},{"version":"6.12.80","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.18.10","lessThanOrEqual":"6.18.*","status":"unaffected","versionType":"semver"},{"version":"6.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.12.80"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.18.10"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.9","versionEndExcluding":"6.19"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/ba0c7fff6616025a7d3a9e887e7ce16b06dc34b9"},{"url":"https://git.kernel.org/stable/c/7565d4df66b6619b50dc36618d8b8f1787d77e19"},{"url":"https://git.kernel.org/stable/c/fc6f36eaaedcf4b81af6fe1a568f018ffd530660"}],"title":"ice: Fix PTP NULL pointer dereference during VSI rebuild","x_generator":{"engine":"bippy-1.2.0"}}}}