CVE-2026-23266

In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4	Patch
https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a	Patch
https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b	Patch
https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df	Patch
https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e	Patch
https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7	Patch
https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c	Patch
https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.12:rc5::::::

History

29 May 2026, 18:43

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4 -~~	() https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4 - Patch
References	~~() https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a -~~	() https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a - Patch
References	~~() https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b -~~	() https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b - Patch
References	~~() https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df -~~	() https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df - Patch
References	~~() https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e -~~	() https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e - Patch
References	~~() https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7 -~~	() https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7 - Patch
References	~~() https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c -~~	() https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c - Patch
References	~~() https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f -~~	() https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f - Patch
CPE		cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:::::: cpe:2.3:o:linux:linux_kernel::::::::
CWE		CWE-369
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Linux Linux linux Kernel
Summary		(es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: fbdev: rivafb: corrige error de división en nv3_arb() Un programa de espacio de usuario puede activar el código de arbitraje RIVA NV3 llamando al ioctl FBIOPUT_VSCREENINFO en /dev/fb*. Al hacerlo, el controlador recalcula los parámetros de arbitraje FIFO en nv3_arb(), usando state->mclk_khz (derivado del PRAMDAC MCLK PLL) como divisor sin validarlo primero. En una configuración normal, state->mclk_khz es proporcionado por el hardware real y no es cero. Sin embargo, un atacante puede construir un dispositivo malicioso o mal configurado (p. ej., un dispositivo PCI manipulado/emulado) que expone una configuración PLL falsa, haciendo que state->mclk_khz se vuelva cero. Una vez que nv3_get_param() llama a nv3_arb(), la división por state->mclk_khz en el cálculo de gns causa un error de división y bloquea el kernel. Solucione esto verificando si state->mclk_khz es cero y saliendo antes de realizar la división. El siguiente registro lo revela: rivafb: estableciendo la resolución Y virtual a 2184 error de división: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 No contaminado 5.18.0-rc1+ #1 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Traza de llamada: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

18 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 18:16

Updated : 2026-05-29 18:43

NVD link : CVE-2026-23266

Mitre link : CVE-2026-23266

CVE.ORG link : CVE-2026-23266

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-369

Divide By Zero

5.5 /10