CVE-2026-45857 Linux CVE debrief

Who should care

Organizations running Linux systems with Chelsio FCoE network adapters utilizing the csiostor driver; kernel maintainers and distribution security teams responsible for stable kernel updates

Technical summary

The csiostor driver in the Linux kernel, which provides SCSI over FCoE (Fibre Channel over Ethernet) support for Chelsio network adapters, contains a null pointer dereference vulnerability. In an error handling path, when pointer `rn` is NULL, the code incorrectly falls through to a path that invokes `CSIO_INC_STATS(rn)`, causing a dereference of the null pointer. The fix introduces a dedicated error return label positioned after the statistics macro usage, ensuring that NULL `rn` cases exit without triggering the dereference. The vulnerability affects systems using Chelsio FCoE hardware with the csiostor driver loaded.

Defensive priority

medium

Recommended defensive actions

• Apply kernel updates containing the referenced stable branch commits for affected Linux distributions
• Verify csiostor driver is not in use on systems where FCoE functionality is not required, and consider disabling if unused
• Monitor distribution security advisories for kernel package updates addressing this CVE
• Review system logs for any csiostor-related errors that may indicate trigger conditions

Evidence notes

The vulnerability description indicates a null pointer dereference in the csiostor SCSI driver, specifically in error handling code. The fix involves restructuring error paths to avoid dereferencing a NULL `rn` pointer through the `CSIO_INC_STATS` macro. Eight kernel.org stable branch commits are referenced, indicating backports across multiple kernel versions.

Official resources