CVE-2026-46188 Linux CVE debrief

Who should care

Organizations running Linux systems with Cavium/Marvell Octeon network adapters using SR-IOV virtual functions; cloud providers and hosting environments with high-density virtualized networking; kernel maintainers and distribution security teams

Technical summary

The octeon_ep_vf virtual function driver for Cavium/Marvell Octeon network adapters fails to check for NULL return from `napi_build_skb()` in its receive packet processing routine `__octep_vf_oq_process_rx()`. This function is invoked in both single-buffer and multi-fragment receive paths. When memory allocation fails under pressure, the subsequent dereference of the NULL skb pointer triggers a kernel oops or panic. The fix introduces explicit NULL checks with proper cleanup: advancing receive descriptors and consuming any remaining fragments to maintain ring consistency before returning.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable tree commits when available for your distribution
• Monitor vendor security advisories for updated kernel packages
• Consider memory pressure monitoring on systems using Cavium Octeon network adapters
• Review system logs for kernel NULL pointer dereference events indicating potential exploitation attempts

Evidence notes

Vulnerability description confirms NULL pointer dereference in octeon_ep_vf driver. Four kernel.org stable tree commits provided as references. CVE published 2026-05-28 with status 'Awaiting Analysis'. No CVSS score assigned by NVD at time of disclosure.

Official resources