GHSA-FGXX-JH4J-VGPG
Vulnerability from github – Published: 2026-05-27 15:33 – Updated: 2026-05-27 15:33In the Linux kernel, the following vulnerability has been resolved:
fbnic: close fw_log race between users and teardown
Fixes a theoretical race on fw_log between the teardown path and fw_log write functions.
fw_log is written inside fbnic_fw_log_write() and can be reached from the mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before IRQ/MBX teardown during cleanup, resulting in a potential data race of dereferencing a freed/null variable.
Possible Interleaving Scenario: CPU0: fbnic_fw_msix_intr() // Entry fbnic_fw_log_write() if (fbnic_fw_log_ready()) // true ... preempt ... CPU1: fbnic_remove() // Entry fbnic_fw_log_free() vfree(log->data_start); log->data_start = NULL; CPU0: continues, walks log->entries or writes to log->data_start
The initialization also has an incorrect order problem, as the fw_log is currently allocated after MBX setup during initialization. Fix the problems by adjusting the synchronization order to put initialization in place before the mailbox is enabled, and not cleared until after the mailbox has been disabled.
{
"affected": [],
"aliases": [
"CVE-2026-45977"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-27T14:17:14Z",
"severity": null
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbnic: close fw_log race between users and teardown\n\nFixes a theoretical race on fw_log between the teardown path and fw_log\nwrite functions.\n\nfw_log is written inside fbnic_fw_log_write() and can be reached from\nthe mailbox handler fbnic_fw_msix_intr(), but fw_log is freed before\nIRQ/MBX teardown during cleanup, resulting in a potential data race of\ndereferencing a freed/null variable.\n\nPossible Interleaving Scenario:\n CPU0: fbnic_fw_msix_intr() // Entry\n fbnic_fw_log_write()\n if (fbnic_fw_log_ready()) // true\n ... preempt ...\n CPU1: fbnic_remove() // Entry\n fbnic_fw_log_free()\n vfree(log-\u003edata_start);\n log-\u003edata_start = NULL;\n CPU0: continues, walks log-\u003eentries or writes to log-\u003edata_start\n\nThe initialization also has an incorrect order problem, as the fw_log\nis currently allocated after MBX setup during initialization.\nFix the problems by adjusting the synchronization order to put\ninitialization in place before the mailbox is enabled, and not cleared\nuntil after the mailbox has been disabled.",
"id": "GHSA-fgxx-jh4j-vgpg",
"modified": "2026-05-27T15:33:19Z",
"published": "2026-05-27T15:33:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45977"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/223cfef4812bdfa5ac5c1aa761cdba03cfe2c9cd"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/5f10ab3643c58a22fbaee92c4701b00fcb4a465d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ee5492fd88cfc079c19fbeac78e9e53b7f6c04f3"
}
],
"schema_version": "1.4.0",
"severity": []
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.