CVE-2026-23305

{"id": "CVE-2026-23305", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2026-03-25T11:16:26.347", "references": [{"url": "https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/rocket: fix unwinding in error path in rocket_probe\n\nWhen rocket_core_init() fails (as could be the case with EPROBE_DEFER),\nwe need to properly unwind by decrementing the counter we just\nincremented and if this is the first core we failed to probe, remove the\nrocket DRM device with rocket_device_fini() as well. This matches the\nlogic in rocket_remove(). Failing to properly unwind results in\nout-of-bounds accesses."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\naccel/rocket: corregir el desenrollado en la ruta de error en rocket_probe\n\nCuando rocket_core_init() falla (como podr\u00eda ser el caso con EPROBE_DEFER), necesitamos desenrollar correctamente decrementando el contador que acabamos de incrementar y, si este es el primer n\u00facleo que no pudimos sondear, eliminar tambi\u00e9n el dispositivo DRM de rocket con rocket_device_fini(). Esto coincide con la l\u00f3gica en rocket_remove(). No desenrollar correctamente resulta en accesos fuera de l\u00edmites."}], "lastModified": "2026-05-28T14:33:24.890", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "91D34097-62D4-400A-8894-1A45A5B44EEA", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}