MEDIUM 5.5

CVE-2026-46142

A flaw in the Linux kernel's libwx network driver allows a virtual machine or container running as a non-privileged user to trigger a system hang by reading a hardware register that should only be accessible to the physical device owner. During virtual function (VF) initialization, the driver incorrectly attempts to access a restricted register (WX_CFG_PORT_ST), causing the system to hang. The issue stems from the driver not properly distinguishing between physical function (PF) and virtual function device contexts when accessing low-level hardware state.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
Affected products
7 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix VF illegal register access Register WX_CFG_PORT_ST is a PF restricted register. When a VF is initialized, attempting to read this register triggers an illegal register access, which lead to a system hang. When the device is VF, the bus function ID can be obtained directly from the PCI_FUNC(pdev->devfn).

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46142 is a local denial-of-service vulnerability in the Linux kernel's libwx driver affecting virtual function (VF) initialization. The WX_CFG_PORT_ST register is a PF-restricted register; however, the driver does not enforce this restriction during VF device setup. When a VF attempts to read this register during initialization, an illegal register access occurs, leading to a system hang. The fix involves using the PCI bus function ID directly from PCI_FUNC(pdev->devfn) rather than attempting a restricted register read to determine device context. This allows the driver to correctly identify whether the device is operating as a VF and skip the privileged register access.

Business impact

Organizations running virtualized infrastructure or containers on systems using the libwx network driver face availability risk. A malicious or compromised guest workload with local access can intentionally trigger this flaw to hang the host kernel, disrupting all workloads sharing that physical machine. In multi-tenant or cloud environments, this becomes a cross-tenant denial-of-service vector. The impact is localized to availability; there is no data exfiltration or privilege escalation potential from this flaw alone.

Affected systems

Linux kernel systems equipped with libwx-based network hardware and running virtual machine or container workloads. The vulnerability manifests during VF initialization, meaning any system attempting to assign a virtual network function to a guest or container is at risk. The scope is limited to systems where libwx is present and VF functionality is enabled. No specific kernel version range is indicated in the source data; verify affected versions against the Linux kernel security advisory.

Exploitability

Exploitability is limited to local, authenticated contexts: a user or process running inside a VF (virtual machine, container, or unprivileged account on a shared host) with the ability to trigger device initialization can cause the hang. There is no remote attack vector. Availability impact is immediate and deterministic—any VF initialization attempt on a vulnerable kernel will reproduce the hang. Privilege escalation is not possible through this flaw; the attacker must already possess local execution capability.

Remediation

Apply the Linux kernel patch that corrects VF register access logic in the libwx driver. The fix ensures that the driver queries the device type using PCI_FUNC(pdev->devfn) instead of attempting to read the restricted WX_CFG_PORT_ST register during VF initialization. Patch availability and affected kernel versions should be verified against the official Linux kernel security advisories and your distribution's kernel release notes. No workaround is available other than disabling VF functionality or avoiding deployment of guest workloads on vulnerable hosts.

Patch guidance

Identify your Linux kernel version and libwx driver version by checking /proc/version and driver module information. Cross-reference against the Linux kernel security advisory for CVE-2026-46142 to determine which stable kernel series and patch levels include the fix. Most major distributions (Red Hat, Debian, Ubuntu, SUSE) will release patched kernel packages; apply these through your standard patch management process. If your system does not use libwx drivers, this vulnerability does not apply. Test kernel updates in a non-production environment first, particularly if VF functionality is in use.

Detection guidance

Monitor kernel logs for illegal register access events or unexpected system hangs coinciding with VF or guest device initialization. On vulnerable systems, check for the presence of libwx drivers using lspci and driver module lists. VF initialization failures or system stalls without obvious cause warrant investigation. Intrusion detection rules should flag repeated VF initialization attempts from unprivileged contexts if they correlate with system hangs. Host-level hypervisor logs may record unexpected guest-initiated resets or device errors tied to network function assignment.

Why prioritize this

While the CVSS score of 5.5 (Medium) reflects local-only exploitability, the deterministic and immediate denial-of-service impact on virtualized environments warrants prioritization for organizations running multi-tenant or containerized workloads on affected hardware. The flaw is straightforward to trigger and requires no special exploit code—routine VF initialization may expose it. Patching should be elevated if the affected system hosts production VMs or containers.

Risk score, explained

CVSS 5.5 (Medium) reflects: local attack vector (AV:L), low attack complexity (AC:L), low privilege requirement (PR:L), no user interaction needed (UI:N), and high availability impact (A:H). The score appropriately captures that only local actors with some privileges can trigger the flaw, but the outcome—system hang—is severe and deterministic. No confidentiality or integrity impact is present, limiting the score.

Frequently asked questions

Can a remote attacker exploit this vulnerability?

No. The attack vector is strictly local. An attacker must have execution context on the affected host or inside a guest virtual machine to trigger VF initialization. There is no network-accessible component.

Does this affect all Linux systems or only those with specific hardware?

Only Linux systems running the libwx network driver are affected. Typical client systems or servers without libwx hardware will not be impacted. Check whether libwx drivers are loaded using lspci and modinfo.

If we disable virtual functions on our hosts, are we safe?

Disabling VF functionality prevents the initialization code path that triggers this flaw, effectively mitigating the risk. However, patching is the proper long-term solution. Disabling VF should only be a temporary measure if patching is delayed.

What is the difference between a PF and VF in this context?

A Physical Function (PF) is the native driver controlling the hardware directly and can access all registers including restricted ones. A Virtual Function (VF) is a virtualized network interface assigned to a guest or container and should not access PF-restricted registers. This vulnerability occurs because the driver fails to properly prevent a VF from attempting to read a PF-only register.

This analysis is provided for informational purposes and is based on source data current as of the vulnerability publication date. Actual impact and patch availability vary by Linux distribution, kernel version, and hardware configuration. Verify all patch versions, affected kernel series, and mitigation steps directly against official Linux kernel security advisories and your vendor's release notes before taking remediation action. SEC.co does not warrant the completeness or accuracy of specific version numbers or patch guidance without confirmation from authoritative vendor sources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Related vulnerabilities