MEDIUM 5.5

CVE-2026-46287: Linux txgbe Driver RTNL Locking Defect

The Linux kernel's txgbe network driver has a defect in how it disconnects from external PHY (Physical Layer transceiver) devices when the driver module is unloaded. When users remove the txgbe module, the driver attempts to disconnect the PHY without first acquiring the RTNL (Real-Time Netlink) lock, which is required by the kernel's phylink subsystem. This causes a kernel assertion failure and warning message, though it does not directly compromise system security or data. The fix involves wrapping the disconnect call with proper locking.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-617
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: net: txgbe: fix RTNL assertion warning when remove module For the copper NIC with external PHY, the driver called phylink_connect_phy() during probe and phylink_disconnect_phy() during remove. It caused an RTNL assertion warning in phylink_disconnect_phy() upon module remove. To fix this, add rtnl_lock() and rtnl_unlock() around the phylink_disconnect_phy() in remove function. ------------[ cut here ]------------ RTNL: assertion failed at drivers/net/phy/phylink.c (2351) WARNING: drivers/net/phy/phylink.c:2351 at phylink_disconnect_phy+0xd8/0xf0 [phylink], CPU#0: rmmod/4464 Modules linked in: ... CPU: 0 UID: 0 PID: 4464 Comm: rmmod Kdump: loaded Not tainted 7.0.0-rc4+ Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 RIP: 0010:phylink_disconnect_phy+0xe4/0xf0 [phylink] Code: 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 31 d2 31 f6 31 ff e9 3a 38 8f e7 48 8d 3d 48 87 e2 ff ba 2f 09 00 00 48 c7 c6 c1 22 24 c0 <67> 48 0f b9 3a e9 34 ff ff ff 66 90 90 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffce7288363ac0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff89654b2a1a00 RCX: 0000000000000000 RDX: 000000000000092f RSI: ffffffffc02422c1 RDI: ffffffffc0239020 RBP: ffffce7288363ae8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8964c4022000 R13: ffff89654fce3028 R14: ffff89654ebb4000 R15: ffffffffc0226348 FS: 0000795e80d93780(0000) GS:ffff896c52857000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005b528b592000 CR3: 0000000170d0f000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> txgbe_remove_phy+0xbb/0xd0 [txgbe] txgbe_remove+0x4c/0xb0 [txgbe] pci_device_remove+0x41/0xb0 device_remove+0x43/0x80 device_release_driver_internal+0x206/0x270 driver_detach+0x4a/0xa0 bus_remove_driver+0x83/0x120 driver_unregister+0x2f/0x60 pci_unregister_driver+0x40/0x90 txgbe_driver_exit+0x10/0x850 [txgbe] __do_sys_delete_module.isra.0+0x1c3/0x2f0 __x64_sys_delete_module+0x12/0x20 x64_sys_call+0x20c3/0x2390 do_syscall_64+0x11c/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_syscall_64+0x15a/0x1500 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_fault+0x312/0x580 ? srso_alias_return_thunk+0x5/0xfbef5 ? __handle_mm_fault+0x9d5/0x1040 ? srso_alias_return_thunk+0x5/0xfbef5 ? count_memcg_events+0x101/0x1d0 ? srso_alias_return_thunk+0x5/0xfbef5 ? handle_mm_fault+0x1e8/0x2f0 ? srso_alias_return_thunk+0x5/0xfbef5 ? do_user_addr_fault+0x2f8/0x820 ? srso_alias_return_thunk+0x5/0xfbef5 ? irqentry_exit+0xb2/0x600 ? srso_alias_return_thunk+0x5/0xfbef5 ? exc_page_fault+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46287 is a kernel synchronization bug in the txgbe driver's module removal path. The driver calls phylink_disconnect_phy() in its remove function without holding the RTNL mutex, violating phylink's locking contract documented at phylink.c line 2351. The assertion warning occurs because phylink_disconnect_phy() expects callers to hold rtnl_lock(). The copper NIC variant with external PHY is affected; integrated PHYs do not trigger this code path during probe/remove. Kernel versions 7.0-rc4 and likely earlier show evidence of the bug in kernel logs. The remediation requires adding rtnl_lock() and rtnl_unlock() calls around the phylink_disconnect_phy() invocation in the txgbe_remove_phy() function.

Business impact

This vulnerability primarily affects system stability and operational visibility rather than security posture. Administrators unloading the txgbe module will encounter repeated kernel warnings, potentially filling system logs and complicating troubleshooting. The warning does not cause data loss or kernel panic under normal circumstances, but repeated warnings can mask other important kernel messages and create noise in monitoring systems. Organizations managing large fleets of systems with Micro-Star X670E motherboards or other hardware using txgbe controllers may experience increased support burden. The medium CVSS score (5.5) reflects the local-only requirement and absence of confidentiality or integrity impact.

Affected systems

The Linux kernel is affected. The txgbe driver code path is triggered on systems with Micro-Star X670E GAMING PLUS WIFI motherboards and equivalent hardware using copper-based NIC with external PHY configuration. Kernel versions at or near 7.0-rc4 (and likely earlier releases) contain the vulnerable code. Systems using txgbe controllers with integrated PHYs, or users who do not unload the driver module, do not encounter this issue. The vulnerability is not present in driver-only patches but requires kernel code remediation.

Exploitability

Exploitability is minimal. The vulnerability requires local access and the ability to execute module unload operations (typically requiring root or CAP_SYS_MODULE capability). An unprivileged user cannot trigger the assertion. The bug manifests as a kernel warning rather than a crash or privilege escalation vector. An attacker with local administrative access could deliberately trigger the warning to fill system logs (denial-of-service against log infrastructure), but this is not a practical attack vector compared to other kernel DoS methods. No user-space exploit or weaponized proof-of-concept is known.

Remediation

The Linux kernel project has resolved this by adding proper RTNL locking in the txgbe driver's remove path. Administrators should apply kernel updates that include the phylink and txgbe synchronization fixes, particularly patches addressing the RTNL assertion in phylink_disconnect_phy(). Verify against official kernel.org security advisories and your Linux distribution's kernel release notes for the exact patch version. Interim mitigation consists of avoiding repeated module unload/reload cycles on affected hardware, though this provides no security benefit.

Patch guidance

Check your distribution's kernel security advisories and release notes for patches merged after the CVE publication date (2026-06-08). The fix involves commits to the txgbe driver and phylink subsystem adding rtnl_lock()/rtnl_unlock() around the disconnect call. Verify the specific kernel version against your vendor's advisory—Ubuntu, RHEL, Debian, and other distributions backport fixes at different release cadences. Automated patch management systems should prioritize kernel updates flagged for this CVE, though the medium severity should not override critical or high-severity patches in deployment order.

Detection guidance

Monitor kernel logs (dmesg, journalctl) for the specific warning: 'RTNL: assertion failed at drivers/net/phy/phylink.c (2351)' or 'phylink_disconnect_phy' warnings. Check system logs during module operations or driver reload cycles. Automated log analysis can alert on this pattern. This is not a runtime exploitation indicator but rather a module lifecycle event, so log-based detection is primarily useful for confirming exposure and validating patches post-deployment. Network behavior is unaffected; IDS/IPS systems will not detect this vulnerability.

Why prioritize this

Despite the medium CVSS score, this vulnerability warrants prompt but not emergency remediation. The local-only requirement and lack of confidentiality/integrity impact mean it poses no direct security risk. However, operational impact is real: system administrators deploying updates on affected hardware will encounter disruptive kernel warnings. Remediation should be scheduled within normal kernel update cycles (1–3 months), grouped with other kernel patches. Organizations heavily dependent on systems using Micro-Star X670E or equivalent txgbe hardware should prioritize slightly higher within their patch windows. Low-impact systems can defer until the next regular kernel update period.

Risk score, explained

The CVSS 3.1 score of 5.5 (Medium) is derived from: AV:L (local attack vector, module unload requires local access), AC:L (low attack complexity, unload is straightforward), PR:L (low privilege required, CAP_SYS_MODULE or root), UI:N (no user interaction needed), S:U (scope unchanged), C:N (no confidentiality impact), I:N (no integrity impact), A:H (high availability impact due to kernel warning storm potential). The score correctly captures that this is not a security vulnerability in the threat model sense but a reliability/operational defect. Organizations focused on robust audit logs and minimal noise should weight the availability component more heavily than the numerical score alone suggests.

Frequently asked questions

Will this cause my system to crash or lose data?

No. The vulnerability manifests as a kernel warning message, not a crash or panic. Your system will continue running normally, and there is no data loss risk. The warning may fill system logs if the driver is repeatedly unloaded and reloaded.

Do I need to apply this patch immediately?

This is not an emergency patch. Schedule it within your normal kernel update cycle (1–3 months). Only prioritize immediately if you manage systems heavily using txgbe hardware and perform frequent driver reloads as part of operations.

Which hardware is affected?

Systems with copper-based NIC configurations using external PHY devices, particularly Micro-Star X670E GAMING PLUS WIFI motherboards. Systems with integrated PHYs or that do not unload the txgbe driver module are not affected.

Is this a security vulnerability that could be exploited for privilege escalation or data theft?

No. This is a kernel synchronization defect that triggers a warning during driver removal. It does not expose security vulnerabilities, enable privilege escalation, or compromise data confidentiality or integrity. The low exploitability and absence of security impact make it a reliability issue rather than a security threat.

This analysis is based on the CVE record and publicly available kernel documentation as of the publication date. Patch version numbers and specific distribution timelines should be verified against official vendor advisories and kernel.org. No exploit code or weaponized proof-of-concept is provided or endorsed. Organizations should validate all patches in test environments before production deployment. This vulnerability does not represent an active threat in the CISA KEV catalog and carries no known ransomware association. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).