Bug 2467083 (CVE-2026-43260)

Summary: CVE-2026-43260 kernel: bnxt_en: Fix RSS context delete logic
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the bnxt_en driver of the Linux kernel. An issue in the RSS (Receive Side Scaling) context deletion logic can lead to a leak of VNICs (Virtual Network Interface Controllers) in the firmware. This can cause subsequent attempts to create new VNICs to fail, resulting in the loss of active RSS contexts. This vulnerability could lead to a Denial of Service (DoS) for network operations.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-05-06 13:03:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

bnxt_en: Fix RSS context delete logic

We need to free the corresponding RSS context VNIC
in FW everytime an RSS context is deleted in driver.
Commit 667ac333dbb7 added a check to delete the VNIC
in FW only when netif_running() is true to help delete
RSS contexts with interface down.

Having that condition will make the driver leak VNICs
in FW whenever close() happens with active RSS contexts.
On the subsequent open(), as part of RSS context restoration,
we will end up trying to create extra VNICs for which we
did not make any reservation. FW can fail this request,
thereby making us lose active RSS contexts.

Suppose an RSS context is deleted already and we try to
process a delete request again, then the HWRM functions
will check for validity of the request and they simply
return if the resource is already freed. So, even for
delete-when-down cases, netif_running() check is not
necessary.

Remove the netif_running() condition check when deleting
an RSS context.
Comment 1 Keith Grant 2026-05-06 23:37:14 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026050606-CVE-2026-43260-7443@gregkh/T