FKIE_CVE-2026-23348

Vulnerability from fkie_nvd - Published: 2026-03-25 11:16 - Updated: 2026-04-24 18:08
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: cxl: Fix race of nvdimm_bus object when creating nvdimm objects Found issue during running of cxl-translate.sh unit test. Adding a 3s sleep right before the test seems to make the issue reproduce fairly consistently. The cxl_translate module has dependency on cxl_acpi and causes orphaned nvdimm objects to reprobe after cxl_acpi is removed. The nvdimm_bus object is registered by the cxl_nvb object when cxl_acpi_probe() is called. With the nvdimm_bus object missing, __nd_device_register() will trigger NULL pointer dereference when accessing the dev->parent that points to &nvdimm_bus->dev. [ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c [ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025 [ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core] [ 192.899459] RIP: 0010:kobject_get+0xc/0x90 [ 192.924871] Call Trace: [ 192.925959] <TASK> [ 192.926976] ? pm_runtime_init+0xb9/0xe0 [ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm] [ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm] [ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem] [ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core] [ 192.943349] really_probe+0xde/0x380 This patch also relies on the previous change where devm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead of drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem. 1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the driver is probed synchronously when add_device() is called. 2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the cxl_nvb driver is attached during cxl_acpi_probe(). 3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in devm_cxl_add_nvdimm() before checking nvdimm_bus is valid. 4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe() will exit with -EBUSY. The removal of cxl_nvdimm devices should prevent any orphaned devices from probing once the nvdimm_bus is gone. [ dj: Fixed 0-day reported kdoc issue. ] [ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870ePatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.14
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DE73683-A644-45C4-8FC6-3637F6AAE324",
              "versionEndExcluding": "6.18.17",
              "versionStartIncluding": "5.14.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3",
              "versionEndExcluding": "6.19.7",
              "versionStartIncluding": "6.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.14:-:*:*:*:*:*:*",
              "matchCriteriaId": "6A05198E-F8FA-4517-8D0E-8C95066AED38",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\n\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev-\u003eparent that points to \u0026nvdimm_bus-\u003edev.\n\n[  192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[  192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[  192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[  192.899459] RIP: 0010:kobject_get+0xc/0x90\n[  192.924871] Call Trace:\n[  192.925959]  \u003cTASK\u003e\n[  192.926976]  ? pm_runtime_init+0xb9/0xe0\n[  192.929712]  __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[  192.933314]  __nvdimm_create+0x206/0x290 [libnvdimm]\n[  192.936662]  cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[  192.940245]  cxl_bus_probe+0x1a/0x60 [cxl_core]\n[  192.943349]  really_probe+0xde/0x380\n\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\n   driver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\n   cxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb-\u003edev lock in\n   devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\n   will exit with -EBUSY.\n\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncxl: Corrige la condici\u00f3n de carrera del objeto nvdimm_bus al crear objetos nvdimm\n\nSe encontr\u00f3 el problema durante la ejecuci\u00f3n de la prueba unitaria cxl-translate.sh. A\u00f1adir un retardo de 3s justo antes de la prueba parece hacer que el problema se reproduzca de forma bastante consistente. El m\u00f3dulo cxl_translate tiene una dependencia de cxl_acpi y provoca que los objetos nvdimm hu\u00e9rfanos se vuelvan a sondear despu\u00e9s de que se elimine cxl_acpi. El objeto nvdimm_bus es registrado por el objeto cxl_nvb cuando se llama a cxl_acpi_probe(). Al faltar el objeto nvdimm_bus, __nd_device_register() activar\u00e1 una desreferencia de puntero NULL al acceder a dev-\u0026gt;parent que apunta a \u0026amp;nvdimm_bus-\u0026gt;dev.\n\n[ 192.884510] BUG: desreferencia de puntero NULL del kernel, direcci\u00f3n: 000000000000006c\n[ 192.895383] Nombre del hardware: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[ 192.897721] Cola de trabajo: cxl_port cxl_bus_rescan_queue [cxl_core]\n[ 192.899459] RIP: 0010:kobject_get+0xc/0x90\n[ 192.924871] Traza de llamada:\n[ 192.925959] \n[ 192.926976] ? pm_runtime_init+0xb9/0xe0\n[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]\n[ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]\n[ 192.943349] really_probe+0xde/0x380\n\nEste parche tambi\u00e9n se basa en el cambio anterior donde se llama a devm_cxl_add_nvdimm_bridge() desde drivers/cxl/pmem.c en lugar de drivers/cxl/core.c para asegurar la dependencia de cxl_acpi en cxl_pmem.\n\n1. Establecer probe_type de cxl_nvb a PROBE_FORCE_SYNCHRONOUS para asegurar que el controlador sea sondeado sincr\u00f3nicamente cuando se llama a add_device().\n2. A\u00f1adir una comprobaci\u00f3n en __devm_cxl_add_nvdimm_bridge() para asegurar que el controlador cxl_nvb est\u00e9 adjunto durante cxl_acpi_probe().\n3. Tomar el bloqueo cxl_root uport_dev y el bloqueo cxl_nvb-\u0026gt;dev en devm_cxl_add_nvdimm() antes de comprobar que nvdimm_bus es v\u00e1lido.\n4. Establecer el indicador cxl_nvdimm a CXL_NVD_F_INVALIDATED para que cxl_nvdimm_probe() salga con -EBUSY.\n\nLa eliminaci\u00f3n de dispositivos cxl_nvdimm deber\u00eda evitar que cualquier dispositivo hu\u00e9rfano se sondee una vez que el nvdimm_bus haya desaparecido.\n\n[ dj: Se corrigi\u00f3 el problema de kdoc reportado el d\u00eda 0. ]\n[ dj: Corrige la fuga de referencia de cxl_nvb en caso de error. Gregory (kreview-0811365) ]"
    }
  ],
  "id": "CVE-2026-23348",
  "lastModified": "2026-04-24T18:08:42.630",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 4.7,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.0,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-25T11:16:33.050",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-362"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.