CVE-2026-23358

/* * PoC Concept for CVE-2026-23358 * This code simulates the vulnerable logic in the amdgpu driver. * Triggering this requires specific hardware failure simulation. */ #include <linux/module.h> #include <linux/list.h> // Mock structure representing the hive struct amdgpu_hive { struct list_head node; int is_initialized; }; void vulnerable_slot_reset(void) { struct amdgpu_hive *hive = NULL; int reset_status = -1; // Simulate reset failure // In the vulnerable code, hive is not initialized if reset fails if (reset_status != 0) { goto out; } hive = kmalloc(sizeof(*hive), GFP_KERNEL); if (hive) { INIT_LIST_HEAD(&hive->node); hive->is_initialized = 1; } out: // Vulnerability: Accessing uninitialized hive pointer if (hive && !list_empty(&hive->node)) { printk(KERN_INFO "Hive is active\n"); } // If reset failed, hive is NULL, but logic might assume it is valid // leading to a kernel panic or undefined behavior. if (hive) { kfree(hive); } } int init_module(void) { vulnerable_slot_reset(); return 0; } void cleanup_module(void) {} MODULE_LICENSE("GPL");

{"cve": {"id": "CVE-2026-23358", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-03-25T11:16:34.610", "lastModified": "2026-04-24T19:03:35.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix error handling in slot reset\n\nIf the device has not recovered after slot reset is called, it goes to\nout label for error handling. There it could make decision based on\nuninitialized hive pointer and could result in accessing an uninitialized\nlist.\n\nInitialize the list and hive properly so that it handles the error\nsituation and also releases the reset domain lock which is acquired\nduring error_detected callback.\n\n(cherry picked from commit bb71362182e59caa227e4192da5a612b09349696)"}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ndrm/amdgpu: Corregir el manejo de errores en el reinicio de ranura\n\nSi el dispositivo no se ha recuperado después de que se llama al reinicio de ranura, va a la etiqueta out para el manejo de errores. Allí podría tomar una decisión basada en un puntero hive no inicializado y podría resultar en el acceso a una lista no inicializada.\n\nInicializar la lista y hive correctamente para que maneje la situación de error y también libere el bloqueo del dominio de reinicio que se adquiere durante la llamada de retorno error_detected.\n\n(seleccionado de la confirmación bb71362182e59caa227e4192da5a612b09349696)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16.1", "versionEndExcluding": "6.18.17", "matchCriteriaId": "5B092616-17E9-4C58-A0D5-624A8FAE8D23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.7", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.16:-:*:*:*:*:*:*", "matchCriteriaId": "6238B17D-C12B-458F-A138-97039BFC4595"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/73e8bdf14248136459753252a438177df7ed8c7c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b57c4ec98c17789136a4db948aec6daadceb5024", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/baf4e7968911635eb816870af0ea587ac1457052", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}