CVE Catalog

CVE-2026-53232

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.22%

13th percentile — higher than 13% of all known CVEs

Summary

In the Linux kernel, a vulnerability was found where sfp_bus_del_upstream() is not called in the error path during PHY driver initialization. This leaves a dangling 'upstream' pointer in the sfp-bus structure, which may be later used during SFP events.

Risk Assessment

The organization is at risk of system crashes or unpredictable network behavior when SFP modules are inserted or removed, potentially leading to network service disruptions.

Recommendation

Immediately update the Linux kernel to a version containing the fix that adds the sfp_bus_del_upstream() call in the PHY initialization error path.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: net: phy: clean the sfp upstream if phy probing fails Sashiko reported that we don't call sfp_bus_del_upstream() in the probe failure path, so let's add it, otherwise the sfp-bus is left with a dangling 'upstream' field, that may be used later on during SFP events. This issue existed before the generic phylib sfp support, back when drivers were calling phy_sfp_probe themselves.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS