CVE-2026-45849 Linux CVE debrief

Who should care

Organizations running Linux systems with MSCC Ocelot network hardware (Microchip VSC7511/VSC7512/VSC7513/VSC7514 Ethernet switches) in production environments, particularly those with high-throughput networking requirements or custom kernel builds enabling this driver.

Technical summary

The MSCC Ocelot network driver in the Linux kernel contains a synchronization flaw where `ocelot_port_xmit_inj()` invokes `ocelot_can_inject()` and `ocelot_port_inject_frame()` without acquiring the injection group lock. Both target functions contain `lockdep_assert_held()` validations for this lock, which are violated by the unsynchronized caller. The fix adds proper `ocelot_lock_inj_grp()`/`ocelot_unlock_inj_grp()` protection around the register injection code path. The FDMA path remains unaffected due to separate locking. Multiple stable kernel tree backports are available.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable tree commits when available for your distribution
• Verify kernel version includes fix commits: 026f6513c5880c2c89e38ad66bbec2868f978605, 0b217a40156f497e09dd20d3f7baec40c785f386, 51c32ae7fae14552d79f7139614b77c1bbd57a48, 63da961381e0d979459dede713001f8452364477, 7ac58d88
• Monitor for kernel package updates from your Linux distribution vendor
• If running custom kernels with MSCC Ocelot driver enabled, prioritize patching for systems handling high-throughput network traffic

Evidence notes

The CVE description explicitly identifies the missing lock protection in `ocelot_port_xmit_inj()` and references the fix adding `ocelot_lock_inj_grp()`/`ocelot_unlock_inj_grp()` around the register injection path. Six kernel.org stable tree commits are provided as references, indicating backports to multiple kernel versions.

Official resources