CVE-2026-23443

/* * Conceptual PoC for CVE-2026-23443 * This demonstrates the vulnerable logic flow in acpi_processor_errata_piix4(). * Triggering this requires specific hardware or kernel emulation. */ #include <linux/acpi.h> #include <linux/device.h> // Vulnerable function simulation void vulnerable_acpi_processor_errata_piix4(struct device *dev) { // ... some logic ... // 1. Drop reference to the device object put_device(dev); // 2. Use-after-free: Dereferencing the pointer after dropping the reference // This is the vulnerable part described in the CVE. if (dev->kobj.sd) { printk(KERN_DEBUG "Device still exists (UAF trigger)"); } } /* * Exploitation Logic: * 1. Attacker gains local access (PR:L). * 2. Attacker triggers ACPI processor enumeration/scan. * 3. Kernel executes the vulnerable path, causing a race or crash. */

{"cve": {"id": "CVE-2026-23443", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-03T16:16:28.573", "lastModified": "2026-04-23T20:58:48.307", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: processor: Fix previous acpi_processor_errata_piix4() fix\n\nAfter commi f132e089fe89 (\"ACPI: processor: Fix NULL-pointer dereference\nin acpi_processor_errata_piix4()\"), device pointers may be dereferenced\nafter dropping references to the device objects pointed to by them,\nwhich may cause a use-after-free to occur.\n\nMoreover, debug messages about enabling the errata may be printed\nif the errata flags corresponding to them are unset.\n\nAddress all of these issues by moving message printing to the points\nin the code where the errata flags are set."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1.165", "versionEndExcluding": "6.1.167", "matchCriteriaId": "D54E2FD5-7EF9-426A-9AE1-8E8DA970BCC8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6.128", "versionEndExcluding": "6.6.130", "matchCriteriaId": "2099D3D0-97C6-44C5-913D-E616B07A9237"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.12.75", "versionEndExcluding": "6.12.78", "matchCriteriaId": "DAB9F88E-FB55-4FDB-966E-E7FC262B2038"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18.16", "versionEndExcluding": "6.18.20", "matchCriteriaId": "234D2F07-A17A-49BE-8B89-9C6756315A38"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.6", "versionEndExcluding": "6.19.10", "matchCriteriaId": "20A592B7-9A05-4B02-A583-F1B95CD93223"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.15.202:*:*:*:*:*:*:*", "matchCriteriaId": "822A7BB5-FF38-425A-B8A8-9F102CF92C36"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2e369ba9eb7b8a06e9cc35a3e7fe73e59272f8c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/68408e8f9e366ad9850a66ac65cb569f13bf6cd4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8583f62259e1b315d5239371adfb36939cdab741", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/98473309a36acc271009b85e0bb53a4c0dddf5c2", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/bf504b229cb8d534eccbaeaa23eba34c05131e25", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e0c470049344e9346fff79d7e2362212c216665e", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/edf4c2aaee08e8fd503fbae705c801e92a0b55d7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}