CVE-2026-23115

{"id": "CVE-2026-23115", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2026-02-14T15:16:06.607", "references": [{"url": "https://git.kernel.org/stable/c/2501c49306238b54a2de0f93de43d50ab6e76c84", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/32f37e57583f869140cff445feedeea8a5fea986", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-362"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: Fix not set tty->port race condition\n\nRevert commit bfc467db60b7 (\"serial: remove redundant\ntty_port_link_device()\") because the tty_port_link_device() is not\nredundant: the tty->port has to be confured before we call\nuart_configure_port(), otherwise user-space can open console without TTY\nlinked to the driver.\n\nThis tty_port_link_device() was added explicitly to avoid this exact\nissue in commit fb2b90014d78 (\"tty: link tty and port before configuring\nit as console\"), so offending commit basically reverted the fix saying\nit is redundant without addressing the actual race condition presented\nthere.\n\nReproducible always as tty->port warning on Qualcomm SoC with most of\ndevices disabled, so with very fast boot, and one serial device being\nthe console:\n\n printk: legacy console [ttyMSM0] enabled\n printk: legacy console [ttyMSM0] enabled\n printk: legacy bootconsole [qcom_geni0] disabled\n printk: legacy bootconsole [qcom_geni0] disabled\n ------------[ cut here ]------------\n tty_init_dev: ttyMSM driver does not set tty->port. This would crash the kernel. Fix the driver!\n WARNING: drivers/tty/tty_io.c:1414 at tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n Modules linked in: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Hardware name: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminator 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminator 3) drivers/tty/tty_io.c:2073 (discriminator 3) drivers/tty/tty_io.c:2120 (discriminator 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminator 3))\n ...\n Starting Network Name Resolution...\n\nApparently the flow with this small Yocto-based ramdisk user-space is:\n\ndriver (qcom_geni_serial.c): user-space:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | open console\n | ...\n | tty_init_dev()\n | driver->ports[idx] is NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() <- set driver->ports[idx]"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nserial: Corrige la condici\u00f3n de carrera de tty-&gt;port no establecido\n\nRevertir el commit bfc467db60b7 ('serial: eliminar tty_port_link_device() redundante') porque tty_port_link_device() no es redundante: el tty-&gt;port tiene que ser configurado antes de que llamemos a uart_configure_port(), de lo contrario, el espacio de usuario puede abrir la consola sin un TTY vinculado al controlador.\n\nEste tty_port_link_device() fue a\u00f1adido expl\u00edcitamente para evitar este problema exacto en el commit fb2b90014d78 ('tty: vincular tty y puerto antes de configurarlo como consola'), por lo que el commit ofensivo b\u00e1sicamente revirti\u00f3 la correcci\u00f3n diciendo que es redundante sin abordar la condici\u00f3n de carrera real presentada all\u00ed.\n\nReproducible siempre como advertencia de tty-&gt;port en SoC de Qualcomm con la mayor\u00eda de los dispositivos deshabilitados, por lo que con un arranque muy r\u00e1pido, y un dispositivo serie siendo la consola:\n\n printk: consola heredada [ttyMSM0] habilitada\n printk: consola heredada [ttyMSM0] habilitada\n printk: consola de arranque heredada [qcom_geni0] deshabilitada\n printk: consola de arranque heredada [qcom_geni0] deshabilitada\n ------------[ cortar aqu\u00ed ]------------\n tty_init_dev: el controlador ttyMSM no establece tty-&gt;port. Esto har\u00eda que el kernel se bloquee. \u00a1Arregle el controlador!\n ADVERTENCIA: drivers/tty/tty_io.c:1414 en tty_init_dev.part.0+0x228/0x25c, CPU#2: systemd/1\n M\u00f3dulos vinculados: socinfo tcsrcc_eliza gcc_eliza sm3_ce fuse ipv6\n CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G S 6.19.0-rc4-next-20260108-00024-g2202f4d30aa8 #73 PREEMPT\n Tainted: [S]=CPU_OUT_OF_SPEC\n Nombre del hardware: Qualcomm Technologies, Inc. Eliza (DT)\n ...\n tty_init_dev.part.0 (drivers/tty/tty_io.c:1414 (discriminador 11)) (P)\n tty_open (arch/arm64/include/asm/atomic_ll_sc.h:95 (discriminador 3) drivers/tty/tty_io.c:2073 (discriminador 3) drivers/tty/tty_io.c:2120 (discriminador 3))\n chrdev_open (fs/char_dev.c:411)\n do_dentry_open (fs/open.c:962)\n vfs_open (fs/open.c:1094)\n do_open (fs/namei.c:4634)\n path_openat (fs/namei.c:4793)\n do_filp_open (fs/namei.c:4820)\n do_sys_openat2 (fs/open.c:1391 (discriminador 3))\n ...\n Iniciando la resoluci\u00f3n de nombres de red...\n\nAparentemente, el flujo con este peque\u00f1o espacio de usuario de ramdisk basado en Yocto es:\n\ncontrolador (qcom_geni_serial.c): espacio de usuario:\n============================ ===========\nqcom_geni_serial_probe()\n uart_add_one_port()\n serial_core_register_port()\n serial_core_add_one_port()\n uart_configure_port()\n register_console()\n |\n | abrir consola\n | ...\n | tty_init_dev()\n | driver-&gt;ports[idx] es NULL\n |\n tty_port_register_device_attr_serdev()\n tty_port_link_device() &lt;- establece driver-&gt;ports[idx]"}], "lastModified": "2026-03-18T13:41:27.780", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7B7374A-5B63-4FDE-89D3-C2AF57547341", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}