SB2026032573 - Incorrect Register Defaults or Module Parameters in Linux kernel net phy driver
Published: March 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect Register Defaults or Module Parameters (CVE-ID: CVE-2026-23368)
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper locking order in the phy_led_triggers_register function when handling LED triggers during PHY device probe. A local user can trigger a system call that leads to conflicting lock acquisition sequences, resulting in an AB-BA deadlock between the RTNL mutex and the triggers_list_lock, ultimately causing a kernel deadlock and system hang.
The issue arises when LEDS_TRIGGER_NETDEV and LED_TRIGGER_PHY are both enabled, allowing conflicting lock acquisition orders depending on execution context.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/stable/c/241cd64cf2e32b28ead151b1795cd8fef2b6e482
- https://git.kernel.org/stable/c/2764dcb3c35de4410f642afc62cf979727470575
- https://git.kernel.org/stable/c/c33523b8fd2d4c504ada18cd93f511f2a8f84217
- https://git.kernel.org/stable/c/c6ffc2d2338d325e1edd0c702e3ee623aa5fdc6a
- https://git.kernel.org/stable/c/c8dbdc6e380e7e96a51706db3e4b7870d8a9402d
- https://git.kernel.org/stable/c/cde2d0b5ab5d03b5b6f17d4f654d8b30ccf36757