Skip to main content

Linux EUVDEUVD-2026-12860

| CVE-2026-23253 HIGH
2026-03-18 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
6.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Apr 18, 2026 - 09:44 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 18, 2026 - 09:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 09:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 17:30 euvd
EUVD-2026-12860
Analysis Generated
Mar 18, 2026 - 17:30 vuln.today
CVE Published
Mar 18, 2026 - 17:01 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty.

Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}.

The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions.

Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.

AnalysisAI

Linux kernel DVB digital video recorder driver allows local authenticated users to trigger use-after-free conditions via stale waitqueue entries, potentially achieving privilege escalation to root or causing kernel crashes. The vulnerability stems from improper waitqueue reinitialization when reopening DVR devices, orphaning existing epoll/io_uring poll entries. Affects Linux kernel versions from 2.6.17 through 6.19.6, with patches available in 6.12.77, 6.18.17, 6.19.7, and 7.0-rc2. EPSS score of 0.02% (4th percentile) indicates low observed exploitation activity, though CVSS 7.8 reflects high impact if local access is obtained.

Technical ContextAI

The Digital Video Broadcast (DVB) subsystem in the Linux kernel provides userspace access to digital TV tuner hardware through character devices. The DVR (Digital Video Recorder) device uses a ring buffer with associated waitqueues to coordinate I/O between userspace readers and kernel drivers. The dmxdev->dvr_buffer.queue waitqueue is shared across multiple file descriptor opens of the same DVR device. The vulnerability occurs in dvb_dvr_open() (media/dvb-core/dmxdev.c), which incorrectly calls dvb_ringbuffer_init() on every device open. This function reinitializes the waitqueue head via init_waitqueue_head(), setting the doubly-linked list to {self, self}. Any existing waitqueue entries from io_uring async poll operations or epoll file descriptors are orphaned with dangling prev/next pointers still pointing to the old list head location. Subsequent waitqueue operations (wake_up, list traversal) can dereference these stale pointers, creating use-after-free or list corruption conditions. The waitqueue and spinlock are properly initialized once during driver probe in dvb_dmxdev_init(); the reopen path should only reset buffer state (pread, pwrite, error) without touching synchronization primitives. The root cause is architectural confusion between one-time driver initialization and per-open state reset, though no formal CWE classification is assigned in NVD data.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.77 or later in the 6.12 stable series, 6.18.17+ in the 6.18 series, 6.19.7+ in the 6.19 series, or 7.0-rc2 and newer mainline kernels. Upstream fixes are commit af050ab44fa1 (mainline) with stable backports fb378cf89be4 (6.12), 527cfa8a3486 (6.18), f1e520ca2e83 (6.19), and cfd94642025e (7.0). Kernel source patches available at https://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df and related stable branch URLs. For systems unable to upgrade immediately, compensating controls include: (1) Restrict /dev/dvb/* device permissions to root-only via udev rules-removes PR:L attack prerequisite but breaks legitimate DVB applications for non-root users. (2) Blacklist dvb_core and related DVB kernel modules if DVB functionality is unused-eliminates attack surface entirely but disables digital TV features. (3) Disable io_uring system-wide via sysctl kernel.io_uring_disabled=2 (requires kernel 5.12+)-reduces one attack vector (io_uring poll) but does not address epoll-based exploitation and impacts io_uring-dependent applications. Each mitigation has operational trade-offs; device permission restriction offers best balance of security and compatibility for multi-user systems. Distribution-specific advisories should be consulted for vendor-tested kernel packages.

Vendor StatusVendor

Debian

linux
Release Status Fixed Version Urgency
bullseye vulnerable 5.10.223-1 -
bullseye (security) vulnerable 5.10.251-1 -
bookworm vulnerable 6.1.159-1 -
bookworm (security) vulnerable 6.1.164-1 -
trixie vulnerable 6.12.73-1 -
trixie (security) vulnerable 6.12.74-2 -
forky vulnerable 6.19.6-2 -
sid fixed 6.19.8-1 -
(unstable) fixed 6.19.8-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-12860 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy