Skip to main content

Linux CVE-2026-23328

| EUVDEUVD-2026-15284 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15284
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Fix NULL pointer dereference of mgmt_chann

mgmt_chann may be set to NULL if the firmware returns an unexpected error in aie2_send_mgmt_msg_wait(). This can later lead to a NULL pointer dereference in aie2_hw_stop().

Fix this by introducing a dedicated helper to destroy mgmt_chann and by adding proper NULL checks before accessing it.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's AMD XDena accelerator driver (accel/amdxdna) where the mgmt_chann variable may be set to NULL if firmware returns an unexpected error during management message transmission, subsequently causing a kernel crash when aie2_hw_stop() attempts to access it. This affects Linux kernel versions across the amdxdna subsystem and can be exploited by local attackers with physical access or through malicious firmware to trigger a denial of service condition. Two stable kernel patches are available that introduce proper NULL checks and a dedicated helper function to safely destroy mgmt_chann.

Technical ContextAI

The vulnerability resides in the AMD XDena (amdxdna) accelerator driver subsystem within the Linux kernel, specifically in the firmware interaction layer. The root cause is a CWE-476 NULL pointer dereference that occurs when aie2_send_mgmt_msg_wait() encounters an unexpected firmware error and leaves mgmt_chann in an uninitialized NULL state. This state is not properly validated before subsequent use in aie2_hw_stop(), leading to kernel panic. The affected CPE cpe:2.3:a:linux:linux encompasses all Linux kernel versions where the amdxdna accelerator driver is present. The vulnerability stems from insufficient error handling and lack of defensive NULL checks around a critical hardware management channel object.

RemediationAI

Apply the upstream kernel patches referenced at https://git.kernel.org/stable/c/032ca7a9059c4ba6c329e0f1b442dab54dd9c3e5 and https://git.kernel.org/stable/c/6270ee26e1edd862ea17e3eba148ca8fb2c99dc9, which introduce proper NULL checks and a dedicated mgmt_chann destruction helper function. Systems using distributions such as Red Hat, Canonical, or Debian should wait for and deploy the next stable kernel update that incorporates these fixes. For immediate mitigation on systems where kernel upgrade is not feasible, restrict physical access to the system and ensure firmware integrity mechanisms (such as Secure Boot and Trusted Platform Module) are enabled to prevent malicious firmware from triggering the vulnerable error path.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23328 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy