{
  "affected": [
    {
      "ranges": [
        {
          "events": [
            {
              "introduced": "12bb018c538c3b9a050f69f62fa09fa6c9160bca"
            },
            {
              "fixed": "acc76b97902757b63ba5136f787d107647236a19"
            },
            {
              "fixed": "3ad2471e61e9f0c4d25046d08e3d747501c3b0dd"
            },
            {
              "fixed": "4c2ac52eeeb672624b06c7a135301d7b8a21d52e"
            },
            {
              "fixed": "1e9185b13ce57b86844447e092e58abb3be849b1"
            },
            {
              "fixed": "429024f3a407e4137aee825c2a6be0aba857937d"
            },
            {
              "fixed": "54ef02487914c24170c7e1c061e45212dc55365e"
            }
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "type": "GIT"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Linux",
        "name": "Kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.8.0"
            },
            {
              "fixed": "6.1.175"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.6.141"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.7.0"
            },
            {
              "fixed": "6.12.91"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.13.0"
            },
            {
              "fixed": "6.18.33"
            }
          ],
          "type": "ECOSYSTEM"
        },
        {
          "events": [
            {
              "introduced": "6.19.0"
            },
            {
              "fixed": "7.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53289.json"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix NULL pointer dereference in ice_reset_all_vfs()\n\nice_reset_all_vfs() ignores the return value of ice_vf_rebuild_vsi().\nWhen the VSI rebuild fails (e.g. during NVM firmware update via\nnvmupdate64e), ice_vsi_rebuild() tears down the VSI on its error path,\nleaving txq_map and rxq_map as NULL. The subsequent unconditional call\nto ice_vf_post_vsi_rebuild() leads to a NULL pointer dereference in\nice_ena_vf_q_mappings() when it accesses vsi-\u003etxq_map[0].\n\nThe single-VF reset path in ice_reset_vf() already handles this\ncorrectly by checking the return value of ice_vf_reconfig_vsi() and\nskipping ice_vf_post_vsi_rebuild() on failure.\n\nApply the same pattern to ice_reset_all_vfs(): check the return value\nof ice_vf_rebuild_vsi() and skip ice_vf_post_vsi_rebuild() and\nice_eswitch_attach_vf() on failure. The VF is left safely disabled\n(ICE_VF_STATE_INIT not set, VFGEN_RSTAT not set to VFACTIVE) and can\nbe recovered via a VFLR triggered by a PCI reset of the VF\n(sysfs reset or driver rebind).\n\nNote that this patch does not prevent the VF VSI rebuild from failing\nduring NVM update — the underlying cause is firmware being in a\ntransitional state while the EMP reset is processed, which can cause\nAdmin Queue commands (ice_add_vsi, ice_cfg_vsi_lan) to fail. This\npatch only prevents the subsequent NULL pointer dereference that\ncrashes the kernel when the rebuild does fail.\n\n crash\u003e bt\n     PID: 50795    TASK: ff34c9ee708dc680  CPU: 1    COMMAND: \"kworker/u512:5\"\n      #0 [ff72159bcfe5bb50] machine_kexec at ffffffffaa8850ee\n      #1 [ff72159bcfe5bba8] __crash_kexec at ffffffffaaa15fba\n      #2 [ff72159bcfe5bc68] crash_kexec at ffffffffaaa16540\n      #3 [ff72159bcfe5bc70] oops_end at ffffffffaa837eda\n      #4 [ff72159bcfe5bc90] page_fault_oops at ffffffffaa893997\n      #5 [ff72159bcfe5bce8] exc_page_fault at ffffffffab528595\n      #6 [ff72159bcfe5bd10] asm_exc_page_fault at ffffffffab600bb2\n         [exception RIP: ice_ena_vf_q_mappings+0x79]\n         RIP: ffffffffc0a85b29  RSP: ff72159bcfe5bdc8  RFLAGS: 00010206\n         RAX: 00000000000f0000  RBX: ff34c9efc9c00000  RCX: 0000000000000000\n         RDX: 0000000000000000  RSI: 0000000000000010  RDI: ff34c9efc9c00000\n         RBP: ff34c9efc27d4828   R8: 0000000000000093   R9: 0000000000000040\n         R10: ff34c9efc27d4828  R11: 0000000000000040  R12: 0000000000100000\n         R13: 0000000000000010  R14:   R15:\n         ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018\n      #7 [ff72159bcfe5bdf8] ice_sriov_post_vsi_rebuild at ffffffffc0a85e2e [ice]\n      #8 [ff72159bcfe5be08] ice_reset_all_vfs at ffffffffc0a920b4 [ice]\n      #9 [ff72159bcfe5be48] ice_service_task at ffffffffc0a31519 [ice]\n     #10 [ff72159bcfe5be88] process_one_work at ffffffffaa93dca4\n     #11 [ff72159bcfe5bec8] worker_thread at ffffffffaa93e9de\n     #12 [ff72159bcfe5bf18] kthread at ffffffffaa946663\n     #13 [ff72159bcfe5bf50] ret_from_fork at ffffffffaa8086b9\n\n The panic occurs attempting to dereference the NULL pointer in RDX at\n ice_sriov.c:294, which loads vsi-\u003etxq_map (offset 0x4b8 in ice_vsi).\n\n The faulting VSI is an allocated slab object but not fully initialized\n after a failed ice_vsi_rebuild():\n\n  crash\u003e struct ice_vsi 0xff34c9efc27d4828\n    netdev = 0x0,\n    rx_rings = 0x0,\n    tx_rings = 0x0,\n    q_vectors = 0x0,\n    txq_map = 0x0,\n    rxq_map = 0x0,\n    alloc_txq = 0x10,\n    num_txq = 0x10,\n    alloc_rxq = 0x10,\n    num_rxq = 0x10,\n\n The nvmupdate64e process was performing NVM firmware update:\n\n  crash\u003e bt 0xff34c9edd1a30000\n  PID: 49858    TASK: ff34c9edd1a30000  CPU: 1    COMMAND: \"nvmupdate64e\"\n   #0 [ff72159bcd617618] __schedule at ffffffffab5333f8\n   #4 [ff72159bcd617750] ice_sq_send_cmd at ffffffffc0a35347 [ice]\n   #5 [ff72159bcd6177a8] ice_sq_send_cmd_retry at ffffffffc0a35b47 [ice]\n   #6 [ff72159bcd617810] ice_aq_send_cmd at ffffffffc0a38018 [ice]\n   #7 [ff72159bcd617848] ice_aq_read_nvm at ffffffffc0a40254 [ice]\n   #8 \n---truncated---",
  "id": "CVE-2026-53289",
  "modified": "2026-07-15T01:48:58.270845811Z",
  "published": "2026-06-26T19:40:49.418Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e9185b13ce57b86844447e092e58abb3be849b1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3ad2471e61e9f0c4d25046d08e3d747501c3b0dd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/429024f3a407e4137aee825c2a6be0aba857937d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4c2ac52eeeb672624b06c7a135301d7b8a21d52e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/54ef02487914c24170c7e1c061e45212dc55365e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/acc76b97902757b63ba5136f787d107647236a19"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53289.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53289"
    },
    {
      "type": "PACKAGE",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"
    }
  ],
  "schema_version": "1.8.0",
  "summary": "ice: fix NULL pointer dereference in ice_reset_all_vfs()"
}