CVE-2026-23063

In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663	Patch
https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483	Patch
https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d	Patch
https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a	Patch
https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016	Patch
https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c	Patch
https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::

History

13 Mar 2026, 21:28

Type	Values Removed	Values Added
CPE		cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
References	~~() https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663 -~~	() https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663 - Patch
References	~~() https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 -~~	() https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 - Patch
References	~~() https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d -~~	() https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d - Patch
References	~~() https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a -~~	() https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a - Patch
References	~~() https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 -~~	() https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 - Patch
References	~~() https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c -~~	() https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c - Patch
References	~~() https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab -~~	() https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab - Patch
CWE		CWE-476
First Time		Linux Linux linux Kernel
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: uacce: asegurar la liberación segura de la cola con gestión de estado Llamar directamente a 'put_queue' conlleva riesgos ya que no puede garantizar que los recursos de 'uacce_queue' hayan sido completamente liberados de antemano. Por lo tanto, añadir una operación 'stop_queue' para el comando UACCE_CMD_PUT_Q y dejar la operación 'put_queue' para la liberación final de recursos garantiza la seguridad. Los estados de la cola se definen de la siguiente manera: - UACCE_Q_ZOMBIE: Estado inicial - UACCE_Q_INIT: Después de abrir 'uacce' - UACCE_Q_STARTED: Después de que se emite 'start' a través de 'ioctl' Al ejecutar 'poweroff -f' en virt mientras el acelerador sigue funcionando, 'uacce_fops_release' y 'uacce_remove' pueden ejecutarse concurrentemente. Esto puede causar que 'uacce_put_queue' dentro de 'uacce_fops_release' acceda a un puntero 'ops' NULL. Por lo tanto, añadir comprobaciones de estado para evitar acceder a punteros liberados.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5

06 Feb 2026, 17:16

Type	Values Removed	Values Added
References		() https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 - () https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 - () https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab -

04 Feb 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-04 17:16

Updated : 2026-03-13 21:28

NVD link : CVE-2026-23063

Mitre link : CVE-2026-23063

CVE.ORG link : CVE-2026-23063

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-476

NULL Pointer Dereference

5.5 /10