CVE-2026-23348

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23348
In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxl_translate module has dependency on cxl_acpi and causes orphaned nvdimm objects to reprobe after cxl_acpi is removed. The nvdimm_bus object is registered by the cxl_nvb object when cxl_acpi_probe() is called. With the nvdimm_bus object missing, __nd_device_register() will trigger NULL pointer dereference when accessing the dev->parent that points to &nvdimm_bus->dev. [ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c [ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025 [ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core] [ 192.899459] RIP: 0010:kobject_get+0xc/0x90 [ 192.924871] Call Trace: [ 192.925959] <TASK> [ 192.926976] ? pm_runtime_init+0xb9/0xe0 [ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm] [ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm] [ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem] [ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core] [ 192.943349] really_probe+0xde/0x380 This patch also relies on the previous change where devm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead of drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem. 1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the driver is probed synchronously when add_device() is called. 2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the cxl_nvb driver is attached during cxl_acpi_probe(). 3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in devm_cxl_add_nvdimm() before checking nvdimm_bus is valid. 4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe() will exit with -EBUSY. The removal of cxl_nvdimm devices should prevent any orphaned devices from probing once the nvdimm_bus is gone. [ dj: Fixed 0-day reported kdoc issue. ] [ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]

4.7 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10 Patch
https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7 Patch
https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
History

24 Apr 2026, 18:08

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
CWE CWE-362
Summary
  • (es) En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: cxl: Corrige la condición de carrera del objeto nvdimm_bus al crear objetos nvdimm Se encontró el problema durante la ejecución de la prueba unitaria cxl-translate.sh. Añadir un retardo de 3s justo antes de la prueba parece hacer que el problema se reproduzca de forma bastante consistente. El módulo cxl_translate tiene una dependencia de cxl_acpi y provoca que los objetos nvdimm huérfanos se vuelvan a sondear después de que se elimine cxl_acpi. El objeto nvdimm_bus es registrado por el objeto cxl_nvb cuando se llama a cxl_acpi_probe(). Al faltar el objeto nvdimm_bus, __nd_device_register() activará una desreferencia de puntero NULL al acceder a dev-&gt;parent que apunta a &amp;nvdimm_bus-&gt;dev. [ 192.884510] BUG: desreferencia de puntero NULL del kernel, dirección: 000000000000006c [ 192.895383] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025 [ 192.897721] Cola de trabajo: cxl_port cxl_bus_rescan_queue [cxl_core] [ 192.899459] RIP: 0010:kobject_get+0xc/0x90 [ 192.924871] Traza de llamada: [ 192.925959] [ 192.926976] ? pm_runtime_init+0xb9/0xe0 [ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm] [ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm] [ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem] [ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core] [ 192.943349] really_probe+0xde/0x380 Este parche también se basa en el cambio anterior donde se llama a devm_cxl_add_nvdimm_bridge() desde drivers/cxl/pmem.c en lugar de drivers/cxl/core.c para asegurar la dependencia de cxl_acpi en cxl_pmem. 1. Establecer probe_type de cxl_nvb a PROBE_FORCE_SYNCHRONOUS para asegurar que el controlador sea sondeado sincrónicamente cuando se llama a add_device(). 2. Añadir una comprobación en __devm_cxl_add_nvdimm_bridge() para asegurar que el controlador cxl_nvb esté adjunto durante cxl_acpi_probe(). 3. Tomar el bloqueo cxl_root uport_dev y el bloqueo cxl_nvb-&gt;dev en devm_cxl_add_nvdimm() antes de comprobar que nvdimm_bus es válido. 4. Establecer el indicador cxl_nvdimm a CXL_NVD_F_INVALIDATED para que cxl_nvdimm_probe() salga con -EBUSY. La eliminación de dispositivos cxl_nvdimm debería evitar que cualquier dispositivo huérfano se sondee una vez que el nvdimm_bus haya desaparecido. [ dj: Se corrigió el problema de kdoc reportado el día 0. ] [ dj: Corrige la fuga de referencia de cxl_nvb en caso de error. Gregory (kreview-0811365) ]
References () https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10 - () https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10 - Patch
References () https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7 - () https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7 - Patch
References () https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e - () https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e - Patch
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.7

25 Mar 2026, 11:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-25 11:16

Updated : 2026-04-24 18:08

NVD link : CVE-2026-23348

Mitre link : CVE-2026-23348

CVE.ORG link : CVE-2026-23348

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')