Skip to main content

Linux Kernel CVE-2026-23305

| EUVDEUVD-2026-15245 HIGH
Out-of-bounds Read (CWE-125)
2026-03-25 Linux
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 28, 2026 - 14:43 vuln.today
v3 (cvss_changed)
Analysis Updated
May 28, 2026 - 14:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 28, 2026 - 14:37 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 14:37 NVD
7.1 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15245
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/rocket: fix unwinding in error path in rocket_probe

When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses.

AnalysisAI

Out-of-bounds memory access in the Linux kernel's accel/rocket DRM driver allows local authenticated users to trigger denial of service and potential information disclosure during probe failure paths. The flaw stems from improper error unwinding in rocket_probe() when rocket_core_init() fails (notably on EPROBE_DEFER), leaving stale counter state that subsequent code dereferences out of bounds. No public exploit identified at time of analysis, and EPSS scores exploitation likelihood at 0.02% (4th percentile), consistent with a hardware-driver-specific issue requiring local access.

Technical ContextAI

The vulnerability resides in drivers/accel/rocket, the DRM/accel subsystem driver for Rockchip NPU (neural processing unit) hardware, introduced in recent kernel versions. The root cause is CWE-125 (Out-of-bounds Read): when rocket_core_init() returns an error during probe, the function fails to decrement a core counter it just incremented and skips calling rocket_device_fini() for the first-core case - mirroring the cleanup logic already present in rocket_remove(). The stale counter then drives later array indexing past the allocated bounds. Affected CPE strings target cpe:2.3:a:linux:linux generically, and the upstream commits (34f4495a7f72, eeaf28c8f4de, 7fc4b49474c8) implement matched unwind logic in the probe error path.

RemediationAI

Vendor-released patch: upgrade to Linux 6.18.17, 6.19.7, or 7.0-rc1 or later, which contain the matched commits (34f4495a7f72, eeaf28c8f4de, 7fc4b49474c8) that correctly decrement the core counter and invoke rocket_device_fini() on the first-core failure path. Distribution users should track the Debian security tracker and apply vendor kernel updates as they ship for the 8 tracked releases. As a compensating control on systems without Rockchip NPU hardware, blacklist the rocket module (echo 'blacklist rocket' >> /etc/modprobe.d/blacklist-rocket.conf followed by update-initramfs) to prevent the driver from probing entirely - the trade-off is loss of NPU acceleration on platforms that need it. On Rockchip edge devices that depend on the NPU, prioritize the kernel update since module-disable removes the feature; restricting unprivileged container/namespace access to the device node (/dev/accel/accel*) and tightening udev permissions reduces the local attacker surface in the interim. Refer to https://nvd.nist.gov/vuln/detail/CVE-2026-23305 and the git.kernel.org commit links above for backporting.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23305 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy