CVE-2026-23242
Published: 18 March 2026
Summary
CVE-2026-23242 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23242 is a vulnerability in the Linux kernel's RDMA/siw (Software iWARP) implementation that can lead to a NULL pointer dereference during header processing. Specifically, if the siw_get_hdr() function returns -EINVAL before set_rx_fpdu_context() is called, the qp->rx_fpdu structure remains NULL. On the error path in siw_tcp_rx_data(), the code then dereferences qp->rx_fpdu->more_ddp_segs without first checking if rx_fpdu is present, potentially causing a kernel crash. This issue was identified via a KASAN report showing a null-ptr-deref in siw_tcp_rx_data().
Remote, unauthenticated attackers with network access can exploit this vulnerability due to its CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending crafted network packets to trigger the error path in the siw_tcp_rx_data() function, an attacker can induce a NULL pointer dereference, resulting in a denial-of-service condition through kernel panic or crash with no impact on confidentiality or integrity.
Mitigation involves applying upstream kernel patches from the referenced stable commits, including 14ab3da122bd18920ad57428f6cf4fade8385142, 714c99e1dc8f85f446e05be02ba83972e981a817, 8564dcc12fbb372d984ab45768cae9335777b274, 87b7a036d2d73d5bb3ae2d47dee23de465db3355, and ab61841633d10e56a58c1493a262f0d02dba2f5e. These fixes ensure that more_ddp_segs is only checked when rx_fpdu is present, preventing the dereference. Security practitioners should update affected Linux kernels, particularly those using RDMA/siw, and monitor for KASAN-detected issues in similar paths.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12801
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix potential NULL pointer dereference in header processing If siw_get_hdr() returns -EINVAL before set_rx_fpdu_context(), qp->rx_fpdu can be NULL. The error path in siw_tcp_rx_data() dereferences qp->rx_fpdu->more_ddp_segs without checking, which may…
more
lead to a NULL pointer deref. Only check more_ddp_segs when rx_fpdu is present. KASAN splat: [ 101.384271] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] [ 101.385869] RIP: 0010:siw_tcp_rx_data+0x13ad/0x1e50
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in RDMA/siw network stack directly enables remote unauthenticated DoS via crafted packets causing kernel crash (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the NULL pointer dereference vulnerability by applying the specific upstream Linux kernel patches referenced in the analysis.
Ensures secure error handling in kernel network processing to prevent NULL dereferences on error paths like in siw_tcp_rx_data().
Mitigates denial-of-service from remote crafted RDMA/siw packets that trigger kernel crashes via NULL pointer dereference.