{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23063", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.953Z", "datePublished": "2026-02-04T16:07:45.426Z", "dateUpdated": "2026-05-11T21:59:17.047Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:17.047Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: ensure safe queue release with state management\n\nDirectly calling `put_queue` carries risks since it cannot\nguarantee that resources of `uacce_queue` have been fully released\nbeforehand. So adding a `stop_queue` operation for the\nUACCE_CMD_PUT_Q command and leaving the `put_queue` operation to\nthe final resource release ensures safety.\n\nQueue states are defined as follows:\n- UACCE_Q_ZOMBIE: Initial state\n- UACCE_Q_INIT: After opening `uacce`\n- UACCE_Q_STARTED: After `start` is issued via `ioctl`\n\nWhen executing `poweroff -f` in virt while accelerator are still\nworking, `uacce_fops_release` and `uacce_remove` may execute\nconcurrently. This can cause `uacce_put_queue` within\n`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add\nstate checks to prevent accessing freed pointers."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "b457abeb5d962db88aaf60e249402fd3073dbfab", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "8b57bf1d3b1db692f34bce694a03e41be79f6016", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "336fb41a186e7c0415ae94fec9e23d1f04b87483", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "43f233eb6e7b9d88536881a9bc43726d0e34800d", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "47634d70073890c9c37e39ab4ff93d4b585b028a", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "92e4f11e29b98ef424ff72d6371acac03e5d973c", "status": "affected", "versionType": "git"}, {"version": "015d239ac0142ad0e26567fd890ef8d171f13709", "lessThan": "26c08dabe5475d99a13f353d8dd70e518de45663", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "5.7", "status": "affected"}, {"version": "0", "lessThan": "5.7", "status": "unaffected", "versionType": "semver"}, {"version": "5.10.249", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.199", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.162", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.10.249"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "5.15.199"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.1.162"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.7", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab"}, {"url": "https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016"}, {"url": "https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483"}, {"url": "https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d"}, {"url": "https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a"}, {"url": "https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c"}, {"url": "https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663"}], "title": "uacce: ensure safe queue release with state management", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "5B635197-F169-4155-A953-A712BDD15376", "versionEndExcluding": "5.10.249", "versionStartIncluding": "5.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A247FBA6-BEB9-484F-B892-DD5517949CCD", "versionEndExcluding": "5.15.199", "versionStartIncluding": "5.11", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6579E0D4-0641-479D-A4C3-0EF618798C55", "versionEndExcluding": "6.1.162", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EAAE395-0162-4BAF-9AD5-E9AF3C869C4F", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: ensure safe queue release with state management\n\nDirectly calling `put_queue` carries risks since it cannot\nguarantee that resources of `uacce_queue` have been fully released\nbeforehand. So adding a `stop_queue` operation for the\nUACCE_CMD_PUT_Q command and leaving the `put_queue` operation to\nthe final resource release ensures safety.\n\nQueue states are defined as follows:\n- UACCE_Q_ZOMBIE: Initial state\n- UACCE_Q_INIT: After opening `uacce`\n- UACCE_Q_STARTED: After `start` is issued via `ioctl`\n\nWhen executing `poweroff -f` in virt while accelerator are still\nworking, `uacce_fops_release` and `uacce_remove` may execute\nconcurrently. This can cause `uacce_put_queue` within\n`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add\nstate checks to prevent accessing freed pointers."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nuacce: asegurar la liberaci\u00f3n segura de la cola con gesti\u00f3n de estado\n\nLlamar directamente a 'put_queue' conlleva riesgos ya que no puede garantizar que los recursos de 'uacce_queue' hayan sido completamente liberados de antemano. Por lo tanto, a\u00f1adir una operaci\u00f3n 'stop_queue' para el comando UACCE_CMD_PUT_Q y dejar la operaci\u00f3n 'put_queue' para la liberaci\u00f3n final de recursos garantiza la seguridad.\n\nLos estados de la cola se definen de la siguiente manera:\n- UACCE_Q_ZOMBIE: Estado inicial\n- UACCE_Q_INIT: Despu\u00e9s de abrir 'uacce'\n- UACCE_Q_STARTED: Despu\u00e9s de que se emite 'start' a trav\u00e9s de 'ioctl'\n\nAl ejecutar 'poweroff -f' en virt mientras el acelerador sigue funcionando, 'uacce_fops_release' y 'uacce_remove' pueden ejecutarse concurrentemente. Esto puede causar que 'uacce_put_queue' dentro de 'uacce_fops_release' acceda a un puntero 'ops' NULL. Por lo tanto, a\u00f1adir comprobaciones de estado para evitar acceder a punteros liberados."}], "id": "CVE-2026-23063", "lastModified": "2026-03-13T21:28:17.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:16.987", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: uacce: ensure safe queue release with state management", "id": "2436780", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436780"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23063", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23063\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23063\nhttps://lore.kernel.org/linux-cve-announce/2026020415-CVE-2026-23063-d727@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T13:56:21.896741+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that incorporates the fix, such as 6.19.1 or later.", "If a kernel upgrade cannot be performed immediately, disable or remove the uacce driver from the system configuration to eliminate the vulnerable code path.", "Modify shutdown procedures to ensure that any uacce resources are released before issuing a poweroff command, preventing the race condition that triggers the null pointer dereference."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Linux kernel versions 6.19 RC1 through RC6 are affected; any host running those kernels without the latest patch is at risk. The patch also applies to earlier 6.19 releases that share the same vulnerable code path, though the CPE list specifically lists only the release candidates.", "description_and_impact": "The flaw occurs when the Linux kernel\u2019s uacce driver attempts to call the internal put_queue function without ensuring that the driver\u2019s state has been properly transitioned to a safe release phase. This oversight can lead to a null pointer dereference of the ops structure during a concurrent poweroff operation on virtualized systems, causing the kernel to crash. The weakness is a classic null pointer dereference (CWE\u2011476).", "risk_and_exploitability": "The CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1\u202f% suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local privileged access: an attacker must be able to issue the UACCE_CMD_PUT_Q ioctl or otherwise trigger the put_queue function while a poweroff command is concurrently being executed, such as during a forced shutdown of a virtual machine that still has the accelerator device active. Successful exploitation would crash the kernel, resulting in a denial of service of the entire system."}}}}, "created": "2026-04-18T14:00:02.186955+00:00", "updated": "2026-04-18T14:00:02.186970+00:00", "vendors": []}