Skip to main content

Linux CVE-2026-23467

| EUVDEUVD-2026-18735 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-03 Linux GHSA-2qjv-hmp6-mh5w
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
CVSS changed
May 26, 2026 - 14:37 NVD
5.5 (MEDIUM)
Patch available
Apr 16, 2026 - 05:29 EUVD
631317825d44283abfe7a8374f13a76ce2032bb8,0b35d11fbbcfd1079c8489282a341944228835e3
EUVD ID Assigned
Apr 03, 2026 - 15:30 euvd
EUVD-2026-18735
Analysis Generated
Apr 03, 2026 - 15:30 vuln.today
CVE Published
Apr 03, 2026 - 15:15 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/dmc: Fix an unlikely NULL pointer deference at probe

intel_dmc_update_dc6_allowed_count() oopses when DMC hasn't been initialized, and dmc is thus NULL.

That would be the case when the call path is intel_power_domains_init_hw() -> {skl,bxt,icl}_display_core_init() -> gen9_set_dc_state() -> intel_dmc_update_dc6_allowed_count(), as intel_power_domains_init_hw() is called *before* intel_dmc_init().

However, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count() conditionally, depending on the current and target DC states. At probe, the target is disabled, but if DC6 is enabled, the function is called, and an oops follows. Apparently it's quite unlikely that DC6 is enabled at probe, as we haven't seen this failure mode before.

It is also strange to have DC6 enabled at boot, since that would require the DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and the driver stopping / reprogramming the firmware is a poorly specified sequence and as such unlikely an intentional BIOS behaviour. It's more likely that BIOS is leaving an unintentionally enabled DC6 HW state behind (without actually loading the required DMC firmware for this).

The tracking of the DC6 allowed counter only works if starting / stopping the counter depends on the _SW_ DC6 state vs. the current _HW_ DC6 state (since stopping the counter requires the DC5 counter captured when the counter was started). Thus, using the HW DC6 state is incorrect and it also leads to the above oops. Fix both issues by using the SW DC6 state for the tracking.

This is v2 of the fix originally sent by Jani, updated based on the first Link: discussion below.

(cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)

AnalysisAI

NULL pointer dereference in Linux kernel DRM i915 GPU driver allows local denial of service during system probe when DMC firmware initialization has not yet completed but hardware has DC6 power state enabled. The vulnerability occurs in intel_dmc_update_dc6_allowed_count() when called from gen9_set_dc_state() during intel_power_domains_init_hw(), which executes before DMC initialization, causing kernel oops if DC6 is unexpectedly enabled by BIOS firmware. No public exploit code identified; this is a kernel crash vulnerability requiring local system access triggered by atypical BIOS behavior.

Technical ContextAI

The Linux kernel DRM subsystem manages Intel GPU power states through the Display Power Management Controller (DMC). The vulnerability exists in the i915 driver's DC (Display Core) power state management, specifically in the intel_dmc_update_dc6_allowed_count() function which tracks DC6 state transitions. During system initialization, intel_power_domains_init_hw() invokes display core initialization routines (skl_display_core_init, bxt_display_core_init, icl_display_core_init) that call gen9_set_dc_state() to configure power states. The issue arises because this initialization chain occurs before intel_dmc_init() completes, meaning the dmc structure pointer is NULL when intel_dmc_update_dc6_allowed_count() attempts to dereference it. The root cause is improper sequencing: the code checks hardware DC6 state rather than software DC6 state, and hardware may reflect a DC6-enabled state left by BIOS without the corresponding DMC firmware actually being loaded. The fix changes the logic to track software DC6 state transitions rather than hardware state, preventing the function call when DMC has not been initialized.

RemediationAI

Update to a patched Linux kernel version containing commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0 or the equivalent stable branch patches (0b35d11fbbcfd1079c8489282a341944228835e3, 631317825d44283abfe7a8374f13a76ce2032bb8, ac57eb3b7d2ad649025b5a0fa207315f755ac4f6). Distributions should backport this fix to affected stable and LTS kernel branches. The fix is available in mainline and stable kernel repositories at git.kernel.org/stable/. For systems unable to patch immediately, mitigation options are limited due to the early initialization timing; however, the vulnerability triggers only under atypical BIOS conditions where DC6 is enabled without proper DMC firmware initialization, which is not standard behavior. End users should ensure BIOS firmware is up-to-date from their system manufacturer. System administrators should prioritize kernel updates as this fix becomes available in their distribution's security updates.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-23467 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy