PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45977 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's fbnic (Facebook/Meta network interface controller) driver. The flaw involves a race condition between firmware log (fw_log) teardown and concurrent write operations. The fw_log structure can be accessed by the mailbox interrupt handler (fbnic_fw_msix_intr → fbnic_fw_log_write) after it has been freed during driver removal, leading to dereference of freed or null memory. The vulnerability stems from incorrect initialization ordering (fw_log allocated after mailbox setup) and teardown ordering (fw_log freed before mailbox/IRQ teardown). The fix reorders synchronization to ensure fw_log is initialized before mailbox enablement and persists until after mailbox disablement.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

Organizations running Linux systems with Facebook/Meta (fbnic) network interface hardware; kernel maintainers and distribution vendors packaging kernel updates; infrastructure operators using hotpluggable network devices where driver reload may occur

Technical summary

The fbnic driver in the Linux kernel contains a race condition vulnerability in its firmware logging infrastructure. The fw_log pointer is accessed by the mailbox MSI-X interrupt handler (fbnic_fw_msix_intr) which calls fbnic_fw_log_write(), but this same pointer can be freed by fbnic_fw_log_free() during driver removal (fbnic_remove) before the mailbox and IRQ teardown completes. The interleaving scenario involves: CPU0 entering the interrupt handler, checking fbnic_fw_log_ready() as true, then being preempted; CPU1 executing driver removal, freeing fw_log and nulling data_start; CPU0 resuming and dereferencing the freed/null log->entries or log->data_start. Additionally, initialization ordering was incorrect with fw_log allocated after mailbox setup. The fix corrects both initialization and teardown ordering to ensure proper synchronization: fw_log allocation occurs before mailbox enablement, and fw_log cleanup occurs after mailbox disablement.

Defensive priority

medium

Recommended defensive actions

  • Apply kernel updates containing the fix commits for CVE-2026-45977 when available from your Linux distribution
  • For systems using fbnic (Facebook/Meta network interface) hardware, prioritize kernel updates to prevent potential system instability during driver unload or hotplug operations
  • Monitor vendor security advisories for backported kernel patches if running long-term support (LTS) kernel versions
  • Review system logs for fbnic-related errors that may indicate trigger conditions for this race condition
  • Consider temporary mitigation of avoiding frequent fbnic driver reload operations until patches are applied

Evidence notes

Vulnerability description and fix details sourced from official CVE record and kernel.org git commits. The issue was resolved in the Linux kernel stable branches. Three fix commits are referenced, indicating backports to multiple stable kernel versions.

Official resources

2026-05-27