CVE-2026-46188: Linux Octeon EP VF NULL Pointer Dereference Denial of Service
A flaw exists in the Linux kernel's Cavium Octeon EP VF driver where a memory allocation function can fail but the code doesn't check for failure. When this happens, the driver tries to use the failed allocation as if it were valid, causing the system to crash. This is a local issue requiring user-level access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: octeon_ep_vf: add NULL check for napi_build_skb() napi_build_skb() can return NULL on allocation failure. In __octep_vf_oq_process_rx(), the result is used directly without a NULL check in both the single-buffer and multi-fragment paths, leading to a NULL pointer dereference. Add NULL checks after both napi_build_skb() calls, properly advancing descriptors and consuming remaining fragments on failure.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46188 is a NULL pointer dereference vulnerability in the octeon_ep_vf driver's receive queue processing function (__octep_vf_oq_process_rx()). The napi_build_skb() function can return NULL when memory allocation fails, but the driver fails to validate the return value before dereferencing it in both single-buffer and multi-fragment code paths. When triggered, this leads to a kernel NULL pointer dereference and denial of service. The vulnerability is classified as CWE-476 (NULL Pointer Dereference).
Business impact
This vulnerability primarily affects availability. A local attacker or unprivileged user on a system running the affected kernel with Octeon EP VF network devices can trigger a kernel crash or hang, resulting in service disruption. This is most relevant to organizations operating specialized networking appliances or embedded systems based on Cavium Octeon processors, or larger deployments where such hardware is used in edge or specialty networking roles.
Affected systems
Linux kernel systems with the octeon_ep_vf driver enabled, typically found on Cavium Octeon-based networking and telecommunications equipment. Standard Linux distributions on x86 or ARM servers are not affected unless specifically compiled with Octeon EP VF support. Affected versions are those where the NULL check fix has not been applied; consult kernel release notes and vendor advisories for specific kernel versions and distributions impacted.
Exploitability
Exploitability is moderate with a low bar to entry. The vulnerability requires local access (CWE-476 with local attack vector) and can be triggered by an unprivileged user through normal network device interaction or traffic processing. No authentication or special privileges are required beyond local user access. However, impact is limited to denial of service; there is no data exposure or privilege escalation potential.
Remediation
Apply the Linux kernel patch that adds NULL checks after both napi_build_skb() calls in __octep_vf_oq_process_rx(), ensuring proper descriptor advancement and fragment consumption on allocation failure. This fix prevents the NULL pointer dereference and allows graceful handling of memory pressure conditions.
Patch guidance
Update the Linux kernel to a version that includes the octeon_ep_vf NULL check fix. Verify the specific kernel version in your distribution's security advisory, as backport timing varies. For mainline kernel users, the fix is available in post-resolution kernel releases. Test patches in a staging environment before production deployment to ensure network performance is unaffected on systems with Octeon EP VF hardware.
Detection guidance
Monitor system logs for kernel panic or oops messages referencing __octep_vf_oq_process_rx() or the octeon_ep_vf driver. Kernel crash dumps will show a NULL pointer dereference in the receive path. On systems with this hardware, enable kernel debugging and watchdog alerts for unexpected reboots or network device driver failures. Intrusion detection systems cannot meaningfully detect this as it stems from internal driver logic rather than external network patterns.
Why prioritize this
Though rated MEDIUM severity, prioritize this for Octeon EP VF systems because the fix is straightforward, the trigger is easy for local users, and unplanned kernel crashes directly impact service continuity. Organizations running Octeon-based network appliances should treat this as higher relative priority within their infrastructure. Standard Linux servers without Octeon hardware can address this in routine patching cycles.
Risk score, explained
CVSS 3.1 score of 5.5 (MEDIUM) reflects the local attack vector and high availability impact balanced against the requirement for local access and lack of confidentiality or integrity consequences. The score appropriately captures a denial-of-service scenario triggered by resource exhaustion or normal driver operation during memory pressure, without privilege escalation or data breach risk.
Frequently asked questions
Does this affect my Linux server?
Only if your system has a Cavium Octeon EP VF network device and the octeon_ep_vf driver is loaded. Check your hardware inventory and kernel configuration (grep octeon_ep_vf /boot/config-$(uname -r)). Most standard servers, cloud instances, and desktop Linux systems are not affected.
Can this be exploited remotely?
No. This is a local vulnerability requiring an attacker to have user-level access to the affected system. Remote network traffic alone cannot trigger the NULL pointer dereference.
What is the impact if this is triggered?
The affected system will experience a kernel crash or hang, leading to an unplanned reboot or service outage. There is no data theft, privilege escalation, or permanent system damage; rebooting restores functionality until the patch is applied.
How urgent is patching this?
If you operate Octeon EP VF-based hardware, patch within your next scheduled maintenance window or within 30 days, whichever is sooner. For systems without this hardware, apply during regular patching cycles. Organizations with tight uptime requirements should test patches immediately.
This analysis is based on published vulnerability information as of the date shown. Verify specific affected kernel versions, patch availability, and vendor guidance directly with the Linux kernel maintainers, your distribution vendor, and Cavium. No exploit code or proof-of-concept is provided. Test all patches in non-production environments before deployment. SEC.co makes no warranty as to the completeness or accuracy of this intelligence and recommends consulting official vendor advisories for definitive remediation details. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference
- CVE-2026-46233MEDIUMLinux Kernel Batman-adv Null Pointer Dereference Denial of Service