CVE-2026-45849
Published: May 27, 2026· Updated: May 27, 2026
Official Description
In the Linux kernel, the following vulnerability has been resolved:
net: mscc: ocelot: add missing lock protection in ocelot_port_xmit_inj()
ocelot_port_xmit_inj() calls ocelot_can_inject() and
ocelot_port_inject_frame() without holding the injection group lock.
Both functions contain lockdep_assert_held() for the injection lock,
and the correct caller felix_port_deferred_xmit() properly acquires
the lock using ocelot_lock_inj_grp() before calling these functions.
Add ocelot_lock_inj_grp()/ocelot_unlock_inj_grp() around the register
injection path to fix the missing lock protection. The FDMA path is not
affected as it uses its own locking mechanism.
Technical Analysis
CVE-2026-45849 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
Affected Vendors & Products
Exploit & PoC Resources
All References (6)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-45849 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts