CVE-2024-26855 Linux CVE debrief

Who should care

Linux kernel maintainers, distribution security teams, and operators running affected kernel builds that include the ice network driver path.

Technical summary

According to the CVE description, ice_bridge_setlink() may dereference br_spec after nlmsg_find_attr() returns NULL, and that NULL value is then used in nla_for_each_nested(). This creates a potential kernel NULL pointer dereference. NVD maps the weakness to CWE-476 and assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local, low-privilege conditions with availability impact only. NVD’s affected version criteria include Linux kernel ranges before 5.4.272, 5.10.213, 5.15.152, 6.1.82, 6.6.22, and 6.7.10, plus 6.8-rc1 through rc6.

Defensive priority

Medium. This is a local availability issue rather than a remote code execution flaw, but it can still crash affected kernels and should be patched promptly through normal kernel maintenance.

Recommended defensive actions

• Apply the vendor or distribution kernel update that includes the ice_bridge_setlink() NULL-check fix.
• Verify running kernel versions against the NVD affected-version ranges and confirm you are on a fixed release line.
• If you maintain custom or backported kernels, cherry-pick the upstream stable patch for your branch.
• Reboot into the patched kernel after installation and confirm the new build is active.
• Review any distro or vendor advisories referenced in the NVD record for backport status and package-specific guidance.

Evidence notes

Source evidence ties the issue to a NULL pointer dereference in ice_bridge_setlink() and identifies the fix as a NULL check before nla_for_each_nested(). NVD lists CWE-476, CVSS 5.5 with local/low-privilege availability impact, and provides multiple stable kernel patch references plus mailing-list/vendor references. No KEV entry is present in the supplied data.

Official resources