Skip to main content

Linux CVE-2026-23332

| EUVDEUVD-2026-15292 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-03-25 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 23, 2026 - 21:27 NVD
5.5 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15292
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: intel_pstate: Fix crash during turbo disable

When the system is booted with kernel command line argument "nosmt" or "maxcpus" to limit the number of CPUs, disabling turbo via:

echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo

results in a crash:

PF: supervisor read access in kernel mode PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI ... RIP: 0010:store_no_turbo+0x100/0x1f0 ...

This occurs because for_each_possible_cpu() returns CPUs even if they are not online. For those CPUs, all_cpu_data[] will be NULL. Since commit 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency updates handling code"), all_cpu_data[] is dereferenced even for CPUs which are not online, causing the NULL pointer dereference.

To fix that, pass CPU number to intel_pstate_update_max_freq() and use all_cpu_data[] for those CPUs for which there is a valid cpufreq policy.

AnalysisAI

A NULL pointer dereference vulnerability exists in the Linux kernel's intel_pstate CPU frequency scaling driver that crashes the system when turbo boost is disabled on systems with CPU count limitations. This affects Linux kernel versions across multiple releases where the system is booted with 'nosmt' or 'maxcpus' kernel parameters and a user or administrator attempts to disable turbo via sysfs. An unprivileged local attacker with write access to /sys/devices/system/cpu/intel_pstate/no_turbo can trigger a kernel panic, resulting in denial of service. The vulnerability has been patched and fixes are available across multiple stable kernel branches.

Technical ContextAI

The vulnerability exists in the Intel P-State CPU frequency scaling subsystem of the Linux kernel (affected CPE: cpe:2.3:a:linux:linux). The root cause is a use-after-free/NULL pointer dereference (related to improper NULL handling, CWE-476 or similar memory safety classes). When the kernel boots with CPU count limitations via 'nosmt' or 'maxcpus' parameters, certain CPUs become marked as 'possible' but remain offline. The all_cpu_data[] array contains NULL pointers for offline CPUs. Commit 973207ae3d7c refactored max frequency update handling to iterate over all possible CPUs using for_each_possible_cpu(), which includes offline CPUs with NULL entries. The store_no_turbo() sysfs handler dereferences all_cpu_data[] without checking validity, causing kernel panic when accessing memory at NULL offset. The fix validates CPU policy existence before dereferencing the all_cpu_data array.

RemediationAI

Update to a patched Linux kernel version containing the fixes referenced in the stable kernel tree (commits a1850e2aef4d15405e7ff53fd51c4b3124d46182, d20d48916ce8531b157c2edeba76d69af2974270, or 6b050482ec40569429d963ac52afa878691b04c9). Most Linux distributions have backported this fix into their stable kernel updates; check your distribution's security advisories for specific kernel package versions. Until patching is possible, restrict write access to /sys/devices/system/cpu/intel_pstate/no_turbo via file permissions or SELinux/AppArmor policies to prevent unprivileged local users from triggering the crash. Systems not using 'nosmt' or 'maxcpus' kernel parameters are less affected but should still patch for completeness. Consult your Linux distribution's security page and your kernel vendor's advisory for exact patched version numbers.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm not-affected - -
bookworm (security) fixed 6.1.164-1 -
trixie not-affected - -
trixie (security) fixed 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23332 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy