HIGH
octeon_ep_vf RxBuffer Deref
CVE-2026-46188
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: octeon_ep_vf: add NULL check for napi_build_skb() napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger a kernel NULL pointer dereference in the Marvell Octeon EP VF network driver during packet reception under memory pressure. This leads to a kernel panic and system crash, causing denial of service for all users.
Vulnerability analysis
The vulnerability occurs in __octep_vf_oq_process_rx() where napi_build_skb() can return NULL during memory allocation failure, but the code directly uses the returned pointer without validation. This happens in both single-buffer and multi-fragment receive paths. The fix adds proper NULL checks after both napi_build_skb() calls and implements cleanup logic to advance descriptors and consume remaining fragments when allocation fails, preventing the NULL dereference while maintaining proper driver state.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.88 | 60246cdd4c51 |
| 6.18 | 6.18.30 | b0f4711b426a |
| 7.0 | 7.0.7 | 6fef6640bbf3 |
| mainline | 7.1-rc1 | dd66b4285470 |