Vulnerabilities ›

CVE-2026-43260

High

CWE-415 — Weakness Type

                    Published: May 6, 2026                      ·  Modified: May 13, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RSS context delete logic

We need to free the corresponding RSS context VNIC
in FW everytime an RSS context is deleted in driver.
Commit 667ac333dbb7 added a check to delete the VNIC
in FW only when netif_running() is true to help delete
RSS contexts with interface down.

Having that condition will make the driver leak VNICs
in FW whenever close() happens with active RSS contexts.
On the subsequent open(), as part of RSS context restoration,
we will end up trying to create extra VNICs for which we
did not make any reservation. FW can fail this request,
thereby making us lose active RSS contexts.

Suppose an RSS context is deleted already and we try to
process a delete request again, then the HWRM functions
will check for validity of the request and they simply
return if the resource is already freed. So, even for
delete-when-down cases, netif_running() check is not
necessary.

Remove the netif_running() condition check when deleting
an RSS context.

🤖 AI Executive Summary

A resource leak vulnerability in the Linux kernel's Broadcom NetXtreme driver (bnxt_en) causes Virtual Network Interface Cards (VNICs) to remain allocated in firmware when RSS contexts are deleted with the interface down. This can lead to firmware resource exhaustion, failed RSS context restoration, and potential denial of service on systems using affected Broadcom network adapters. The vulnerability requires a kernel patch to resolve.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 19:20

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations operating data centers, cloud infrastructure, and telecommunications networks utilizing Broadcom NetXtreme network adapters (common in enterprise servers). High-risk sectors include: (1) Banking and Financial Services (SAMA-regulated institutions) relying on high-performance network infrastructure for transaction processing; (2) Government entities (NCA oversight) operating critical infrastructure; (3) Telecommunications providers (STC, Mobily, Zain) managing network backbone equipment; (4) Energy sector (Saudi Aramco, SEC) operating SCADA and industrial networks; (5) Healthcare institutions managing patient data networks. The resource leak can cause intermittent network failures, RSS context loss, and potential service disruptions during routine maintenance windows when interfaces are brought down.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Telecommunications Energy and Utilities Healthcare Data Centers and Cloud Infrastructure Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1499 - Endpoint Denial of Service T1561 - Disk Wipe T1529 - System Shutdown/Reboot T1657 - Financial Theft

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify systems running Linux kernel versions affected by CVE-2026-43260 using: uname -r and cross-reference with kernel release notes

2. Audit network interface restart logs to identify potential VNIC leaks: grep -i 'rss\|vnic' /var/log/kernel.log

3. Monitor firmware resource utilization on Broadcom adapters using ethtool diagnostics



PATCHING GUIDANCE:

1. Apply the latest Linux kernel security patch that removes the netif_running() condition check in bnxt_en RSS context deletion logic

2. Test patches in non-production environment first, particularly for systems with active RSS contexts

3. Schedule kernel updates during maintenance windows to avoid service disruption

4. Verify RSS context functionality post-patch using: ethtool -x <interface>



COMPENSATING CONTROLS (if immediate patching not possible):

1. Minimize interface down/up cycles by avoiding unnecessary network restarts

2. Implement monitoring for VNIC resource exhaustion alerts from network adapters

3. Implement automated interface state management to prevent cascading failures

4. Monitor RSS context creation failures in application logs



DETECTION RULES:

1. Alert on repeated 'RSS context creation failed' messages in kernel logs

2. Monitor for HWRM firmware command failures related to VNIC operations

3. Track interface state changes and correlate with RSS context loss events

4. Baseline and alert on firmware resource utilization anomalies

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد الأنظمة التي تقوم بتشغيل إصدارات نواة Linux المتأثرة باستخدام: uname -r والتحقق المرجعي مع ملاحظات إصدار النواة

2. تدقيق سجلات إعادة تشغيل واجهة الشبكة لتحديد تسرب VNICs المحتمل: grep -i 'rss\|vnic' /var/log/kernel.log

3. مراقبة استخدام موارد البرنامج الثابت على محولات Broadcom باستخدام تشخيصات ethtool

إرشادات التصحيح:

1. تطبيق أحدث تصحيح أمان نواة Linux الذي يزيل فحص شرط netif_running() في منطق حذف سياق RSS في bnxt_en

2. اختبار التصحيحات في بيئة غير الإنتاج أولاً، خاصة للأنظمة ذات سياقات RSS النشطة

3. جدولة تحديثات النواة خلال نوافذ الصيانة لتجنب انقطاع الخدمة

4. التحقق من وظيفة سياق RSS بعد التصحيح باستخدام: ethtool -x <interface>

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. تقليل دورات توقف/تشغيل الواجهة بتجنب إعادة تشغيل الشبكة غير الضرورية

2. تنفيذ مراقبة لتنبيهات استنزاف موارد VNIC من محولات الشبكة

3. تنفيذ إدارة حالة واجهة آلية لمنع الأعطال المتسلسلة

4. مراقبة فشل إنشاء سياق RSS في سجلات التطبيق

قواعد الكشف:

1. تنبيه على رسائل 'فشل إنشاء سياق RSS' المتكررة في سجلات النواة

2. مراقبة فشل أوامر البرنامج الثابت HWRM المتعلقة بعمليات VNIC

3. تتبع تغييرات حالة الواجهة والربط بأحداث فقدان سياق RSS

4. خط الأساس والتنبيه على شذوذ استخدام موارد البرنامج الثابت

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.14.2.1 - Secure development policy ECC 2024 A.12.3.1 - Configuration management

🔵 SAMA CSF

SAMA CSF ID.BE-5.1 - Cybersecurity risk management strategy SAMA CSF PR.IP-12 - Software, firmware, and information integrity mechanisms SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Implementation of technical and organizational measures ISO 27001:2022 A.14.2.3 - System acceptance testing ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Ensure that all system components and software are protected from known vulnerabilities

🔗 References & Sources 4

🔗

https://git.kernel.org/stable/c/079986d6db1f8e3d50c55f400cf998ac9690d2c8

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/348a5f8d06c7bdf954e13c17ad5f80b59a075604

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/9a9b89eea4a9cc7726702946ff688d716962fabd

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

🔗

https://git.kernel.org/stable/c/e123d9302d223767bd910bfbcfe607bae909f8ac

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Patch

📦 Affected Products / CPE 4 entries

linux:linux_kernel

linux:linux_kernel:7.0

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-415

EPSS0.01%

Exploit No

Patch ✓ Yes

Published 2026-05-06

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-415

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-43260

💬 Comments

Introduce Yourself

Sign In Required