Skip to main content

Linux CVE-2026-23348

| EUVDEUVD-2026-15317 MEDIUM
Race Condition (CWE-362)
2026-03-25 Linux GHSA-j48g-pw4c-x8jm
4.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
5.2 MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
Apr 24, 2026 - 18:22 NVD
4.7 (MEDIUM)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 25, 2026 - 10:45 euvd
EUVD-2026-15317
Analysis Generated
Mar 25, 2026 - 10:45 vuln.today
CVE Published
Mar 25, 2026 - 10:27 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cxl: Fix race of nvdimm_bus object when creating nvdimm objects

Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxl_translate module has dependency on cxl_acpi and causes orphaned nvdimm objects to reprobe after cxl_acpi is removed. The nvdimm_bus object is registered by the cxl_nvb object when cxl_acpi_probe() is called. With the nvdimm_bus object missing, __nd_device_register() will trigger NULL pointer dereference when accessing the dev->parent that points to &nvdimm_bus->dev.

[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c [ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025 [ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core] [ 192.899459] RIP: 0010:kobject_get+0xc/0x90 [ 192.924871] Call Trace: [ 192.925959] <TASK> [ 192.926976] ? pm_runtime_init+0xb9/0xe0 [ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm] [ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm] [ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem] [ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core] [ 192.943349] really_probe+0xde/0x380

This patch also relies on the previous change where devm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead of drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.

  1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the

driver is probed synchronously when add_device() is called.

  1. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the

cxl_nvb driver is attached during cxl_acpi_probe().

  1. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in

devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.

  1. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()

will exit with -EBUSY.

The removal of cxl_nvdimm devices should prevent any orphaned devices from probing once the nvdimm_bus is gone.

[ dj: Fixed 0-day reported kdoc issue. ] [ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]

AnalysisAI

A race condition exists in the Linux kernel's CXL (Compute Express Link) subsystem where the nvdimm_bus object can be invalidated while orphaned nvdimm objects attempt to reprobe, leading to a NULL pointer dereference in kobject_get() during device registration. This affects Linux kernels with CXL support enabled, allowing a local attacker or system administrator to trigger a kernel panic (denial of service) through module unload/reload sequences or specific timing during CXL ACPI probe operations. No active exploitation in the wild has been reported, but the vulnerability is easily reproducible via the cxl-translate.sh unit test with minimal timing manipulation.

Technical ContextAI

The vulnerability resides in the Linux kernel's CXL (Compute Express Link) driver subsystem, specifically in the interaction between cxl_acpi, cxl_core, and cxl_pmem modules with the libnvdimm (Non-Volatile DIMM) subsystem. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, indicating all Linux kernel versions with CXL support. The root cause is a race condition (CWE-362 or CWE-667) where the cxl_nvb (NVDimm Bridge) object's nvdimm_bus registration can be removed while orphaned nvdimm devices are still attempting to probe. When __nd_device_register() executes without a valid nvdimm_bus parent, it triggers a NULL pointer dereference at offset 0x6c in the device struct (the dev->parent pointer), specifically in kobject_get() when attempting to increment the reference count of the missing parent device. The issue manifests through asynchronous workqueue processing (cxl_port cxl_bus_rescan_queue) that races against module removal.

RemediationAI

Upgrade the Linux kernel to a stable version that includes the CXL nvdimm_bus race condition fix from the referenced commits (available from kernel.org stable branches and major Linux distributions' kernel updates). The primary fix involves three key changes: (1) setting the cxl_nvb probe_type to PROBE_FORCE_SYNCHRONOUS to ensure synchronous driver probing, (2) implementing checks in devm_cxl_add_nvdimm_bridge() to verify driver attachment during cxl_acpi_probe(), and (3) adding proper locking mechanisms around nvdimm_bus validity checks and setting the CXL_NVD_F_INVALIDATED flag to prevent orphaned device probing. Until kernel patching is feasible, restrict CXL module operations by avoiding dynamic unload/reload of cxl_acpi without full system quiescence, or disable CXL support entirely if the hardware is not in use. Distribution kernel maintainers should backport the referenced commits to all stable/LTS kernel branches with CXL support enabled.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky, sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy