Skip to main content

Linux CVE-2026-23323

| EUVDEUVD-2026-15276 HIGH
Out-of-bounds Write (CWE-787)
2026-03-25 Linux GHSA-xf4v-3mcr-w96x
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
5.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 23, 2026 - 21:11 vuln.today
cvss_changed
CVSS changed
Apr 23, 2026 - 21:11 NVD
7.8 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15276
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver

The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines.

Specifically:

  • The voltage sensor population loop used the wrong prefix ("volt-"

instead of "voltage-") and incorrectly assigned sensors to the temperature sensor array (hwmon->temp.sensors) instead of the voltage sensor array (hwmon->volt.sensors). This would lead to out-of-bounds memory access or data corruption when both temperature and voltage sensors were present.

  • The float conversion in macsmc_hwmon_write_f32() had flawed exponent

logic for values >= 2^24 and lacked masking for the mantissa, which could lead to incorrect values being written to the SMC.

Fix these issues to ensure correct sensor registration and reliable manual fan control.

Confirm that the reported overflow in FIELD_PREP is fixed by declaring macsmc_hwmon_write_f32() as __always_inline for a compile test.

AnalysisAI

The Apple Silicon SMC hwmon driver (macsmc-hwmon) in the Linux kernel contains critical memory safety bugs in sensor population and float conversion logic. Specifically, voltage sensors are incorrectly registered to the temperature sensor array, and float-to-32-bit conversion has flawed exponent handling, potentially leading to out-of-bounds memory access, data corruption, or incorrect fan control on affected Apple Silicon systems. The vulnerability affects Linux kernel versions with the macsmc-hwmon driver and has been patched; no active exploitation or POC is currently known, but the nature of the bugs suggests high real-world risk for systems relying on thermal management.

Technical ContextAI

The macsmc-hwmon driver is a hardware monitoring subsystem in the Linux kernel (CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*) that interfaces with the Apple Silicon System Management Controller to expose temperature, voltage, and fan data. The root cause involves two distinct defects: first, a prefix mismatch ('volt-' vs 'voltage-') combined with array assignment to the wrong data structure (hwmon->temp.sensors instead of hwmon->volt.sensors), which is a form of CWE-129 (improper validation of array index); second, the float-to-32-bit IEEE 754 conversion function macsmc_hwmon_write_f32() lacks proper mantissa masking and has incorrect exponent logic for large values (>=2^24), representing flawed numeric conversion logic related to CWE-190 (integer overflow). These bugs occur in sensor registration and SMC write paths, directly affecting hardware control.

RemediationAI

Apply kernel patches from the stable kernel repository immediately by updating to a kernel version containing the fixes referenced at https://git.kernel.org/stable/c/625ef35b70d3883fb9a41cd5a988e64dd3e447d6 and https://git.kernel.org/stable/c/5dd69b864911ae3847365e8bafe7854e79fbeecb. For Linux distributions, upgrade to the latest kernel package (e.g., via apt upgrade linux-image-generic on Ubuntu, or equivalent package manager commands on other distributions) that includes these commits. Until patching is completed, disable the macsmc-hwmon driver by adding 'blacklist macsmc_hwmon' to /etc/modprobe.d/blacklist.conf if thermal monitoring is not critical, though this is not recommended for production systems. Alternatively, restrict hardware monitoring access to trusted users only via cgroup or SELinux policies to minimize local attack surface.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy