CVE-2026-43260 (GCVE-0-2026-43260)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
bnxt_en: Fix RSS context delete logic
Summary
In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix RSS context delete logic We need to free the corresponding RSS context VNIC in FW everytime an RSS context is deleted in driver. Commit 667ac333dbb7 added a check to delete the VNIC in FW only when netif_running() is true to help delete RSS contexts with interface down. Having that condition will make the driver leak VNICs in FW whenever close() happens with active RSS contexts. On the subsequent open(), as part of RSS context restoration, we will end up trying to create extra VNICs for which we did not make any reservation. FW can fail this request, thereby making us lose active RSS contexts. Suppose an RSS context is deleted already and we try to process a delete request again, then the HWRM functions will check for validity of the request and they simply return if the resource is already freed. So, even for delete-when-down cases, netif_running() check is not necessary. Remove the netif_running() condition check when deleting an RSS context.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 348a5f8d06c7bdf954e13c17ad5f80b59a075604 (git)
Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 079986d6db1f8e3d50c55f400cf998ac9690d2c8 (git)
Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < 9a9b89eea4a9cc7726702946ff688d716962fabd (git)
Affected: 667ac333dbb7e265b3f5bc4bc94e236f64682c86 , < e123d9302d223767bd910bfbcfe607bae909f8ac (git)
Create a notification for this product.
    Linux Linux Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "348a5f8d06c7bdf954e13c17ad5f80b59a075604",
              "status": "affected",
              "version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
              "versionType": "git"
            },
            {
              "lessThan": "079986d6db1f8e3d50c55f400cf998ac9690d2c8",
              "status": "affected",
              "version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
              "versionType": "git"
            },
            {
              "lessThan": "9a9b89eea4a9cc7726702946ff688d716962fabd",
              "status": "affected",
              "version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
              "versionType": "git"
            },
            {
              "lessThan": "e123d9302d223767bd910bfbcfe607bae909f8ac",
              "status": "affected",
              "version": "667ac333dbb7e265b3f5bc4bc94e236f64682c86",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix RSS context delete logic\n\nWe need to free the corresponding RSS context VNIC\nin FW everytime an RSS context is deleted in driver.\nCommit 667ac333dbb7 added a check to delete the VNIC\nin FW only when netif_running() is true to help delete\nRSS contexts with interface down.\n\nHaving that condition will make the driver leak VNICs\nin FW whenever close() happens with active RSS contexts.\nOn the subsequent open(), as part of RSS context restoration,\nwe will end up trying to create extra VNICs for which we\ndid not make any reservation. FW can fail this request,\nthereby making us lose active RSS contexts.\n\nSuppose an RSS context is deleted already and we try to\nprocess a delete request again, then the HWRM functions\nwill check for validity of the request and they simply\nreturn if the resource is already freed. So, even for\ndelete-when-down cases, netif_running() check is not\nnecessary.\n\nRemove the netif_running() condition check when deleting\nan RSS context."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T11:28:48.113Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604"
        },
        {
          "url": "https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd"
        },
        {
          "url": "https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac"
        }
      ],
      "title": "bnxt_en: Fix RSS context delete logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43260",
    "datePublished": "2026-05-06T11:28:48.113Z",
    "dateReserved": "2026-05-01T14:12:55.997Z",
    "dateUpdated": "2026-05-06T11:28:48.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43260\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:46.883\",\"lastModified\":\"2026-05-06T13:07:51.607\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nbnxt_en: Fix RSS context delete logic\\n\\nWe need to free the corresponding RSS context VNIC\\nin FW everytime an RSS context is deleted in driver.\\nCommit 667ac333dbb7 added a check to delete the VNIC\\nin FW only when netif_running() is true to help delete\\nRSS contexts with interface down.\\n\\nHaving that condition will make the driver leak VNICs\\nin FW whenever close() happens with active RSS contexts.\\nOn the subsequent open(), as part of RSS context restoration,\\nwe will end up trying to create extra VNICs for which we\\ndid not make any reservation. FW can fail this request,\\nthereby making us lose active RSS contexts.\\n\\nSuppose an RSS context is deleted already and we try to\\nprocess a delete request again, then the HWRM functions\\nwill check for validity of the request and they simply\\nreturn if the resource is already freed. So, even for\\ndelete-when-down cases, netif_running() check is not\\nnecessary.\\n\\nRemove the netif_running() condition check when deleting\\nan RSS context.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.