CVE-2026-23203 - Vulnerability Details

Vendors	Products
Linux	Linux Kernel

Link	Providers
https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a
https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue Commit 1767bb2d47b7 ("ipv6: mcast: Don't hold RTNL for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.") removed the RTNL lock for IPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this change triggered the following call trace on my BeagleBone Black board: WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496 RTNL: assertion failed at net/8021q/vlan_core.c (236) Modules linked in: CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT Hardware name: Generic AM33XX (Flattened Device Tree) Call trace: unwind_backtrace from show_stack+0x28/0x2c show_stack from dump_stack_lvl+0x30/0x38 dump_stack_lvl from __warn+0xb8/0x11c __warn from warn_slowpath_fmt+0x130/0x194 warn_slowpath_fmt from vlan_for_each+0x120/0x124 vlan_for_each from cpsw_add_mc_addr+0x54/0xd8 cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88 __dev_mc_add from igmp6_group_added+0x84/0xec igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0 __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4 __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168 do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8 ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c do_sock_setsockopt from __sys_setsockopt+0x84/0xac __sys_setsockopt from ret_fast_syscall+0x0/0x5 This trace occurs because vlan_for_each() is called within cpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held. Since modifying vlan_for_each() to operate without the RTNL lock is not straightforward, and because ndo_set_rx_mode() is invoked both with and without the RTNL lock across different code paths, simply adding rtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution. To resolve this issue, we opt to execute the actual processing within a work queue, following the approach used by the icssg-prueth driver.
Title		net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23203", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.986Z", "datePublished": "2026-02-14T16:27:27.048Z", "dateUpdated": "2026-02-14T16:27:27.048Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-02-14T16:27:27.048Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don't hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0xd8\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x5\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/ti/cpsw_new.c", "drivers/net/ethernet/ti/cpsw_priv.h"], "versions": [{"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69", "lessThan": "d5b3a669866977dc87fd56fcf00a70df1536d258", "status": "affected", "versionType": "git"}, {"version": "1767bb2d47b715a106287a8f963d9ec6cbab4e69", "lessThan": "c0b5dc73a38f954e780f93a549b8fe225235c07a", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/ethernet/ti/cpsw_new.c", "drivers/net/ethernet/ti/cpsw_priv.h"], "versions": [{"version": "6.17", "status": "affected"}, {"version": "0", "lessThan": "6.17", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.17", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258"}, {"url": "https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a"}], "title": "net: cpsw_new: Execute ndo_set_rx_mode callback in a work queue", "x_generator": {"engine": "bippy-1.2.0"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: cpsw_new: Execute ndo_set_rx_mode callback in a work queue\n\nCommit 1767bb2d47b7 (\"ipv6: mcast: Don't hold RTNL for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP.\") removed the RTNL lock for\nIPV6_ADD_MEMBERSHIP and MCAST_JOIN_GROUP operations. However, this\nchange triggered the following call trace on my BeagleBone Black board:\n WARNING: net/8021q/vlan_core.c:236 at vlan_for_each+0x120/0x124, CPU#0: rpcbind/496\n RTNL: assertion failed at net/8021q/vlan_core.c (236)\n Modules linked in:\n CPU: 0 UID: 997 PID: 496 Comm: rpcbind Not tainted 6.19.0-rc6-next-20260122-yocto-standard+ #8 PREEMPT\n Hardware name: Generic AM33XX (Flattened Device Tree)\n Call trace:\n unwind_backtrace from show_stack+0x28/0x2c\n show_stack from dump_stack_lvl+0x30/0x38\n dump_stack_lvl from __warn+0xb8/0x11c\n __warn from warn_slowpath_fmt+0x130/0x194\n warn_slowpath_fmt from vlan_for_each+0x120/0x124\n vlan_for_each from cpsw_add_mc_addr+0x54/0xd8\n cpsw_add_mc_addr from __hw_addr_ref_sync_dev+0xc4/0xec\n __hw_addr_ref_sync_dev from __dev_mc_add+0x78/0x88\n __dev_mc_add from igmp6_group_added+0x84/0xec\n igmp6_group_added from __ipv6_dev_mc_inc+0x1fc/0x2f0\n __ipv6_dev_mc_inc from __ipv6_sock_mc_join+0x124/0x1b4\n __ipv6_sock_mc_join from do_ipv6_setsockopt+0x84c/0x1168\n do_ipv6_setsockopt from ipv6_setsockopt+0x88/0xc8\n ipv6_setsockopt from do_sock_setsockopt+0xe8/0x19c\n do_sock_setsockopt from __sys_setsockopt+0x84/0xac\n __sys_setsockopt from ret_fast_syscall+0x0/0x5\n\nThis trace occurs because vlan_for_each() is called within\ncpsw_ndo_set_rx_mode(), which expects the RTNL lock to be held.\nSince modifying vlan_for_each() to operate without the RTNL lock is not\nstraightforward, and because ndo_set_rx_mode() is invoked both with and\nwithout the RTNL lock across different code paths, simply adding\nrtnl_lock() in cpsw_ndo_set_rx_mode() is not a viable solution.\n\nTo resolve this issue, we opt to execute the actual processing within\na work queue, following the approach used by the icssg-prueth driver."}], "id": "CVE-2026-23203", "lastModified": "2026-02-14T17:15:58.177", "metrics": {}, "published": "2026-02-14T17:15:58.177", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c0b5dc73a38f954e780f93a549b8fe225235c07a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d5b3a669866977dc87fd56fcf00a70df1536d258"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Received"}

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object