{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23094", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.963Z", "datePublished": "2026-02-04T16:08:17.061Z", "dateUpdated": "2026-05-11T21:59:53.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T21:59:53.127Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix isolate sysfs check condition\n\nuacce supports the device isolation feature. If the driver\nimplements the isolate_err_threshold_read and\nisolate_err_threshold_write callback functions, uacce will create\nsysfs files now. Users can read and configure the isolation policy\nthrough sysfs. Currently, sysfs files are created as long as either\nisolate_err_threshold_read or isolate_err_threshold_write callback\nfunctions are present.\n\nHowever, accessing a non-existent callback function may cause the\nsystem to crash. Therefore, intercept the creation of sysfs if\nneither read nor write exists; create sysfs if either is supported,\nbut intercept unsupported operations at the call site."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65", "lessThan": "9ab05cdcac354b1b1139918f49c6418b9005d042", "status": "affected", "versionType": "git"}, {"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65", "lessThan": "fdbbb47d15ae17bf39fafec7e2028c1f8efba15e", "status": "affected", "versionType": "git"}, {"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65", "lessThan": "82821a681d5dcce31475a65190fc39ea8f372cc0", "status": "affected", "versionType": "git"}, {"version": "e3e289fbc0b520cf469469e8cdba84a50424eb65", "lessThan": "98eec349259b1fd876f350b1c600403bcef8f85d", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/misc/uacce/uacce.c"], "versions": [{"version": "6.3", "status": "affected"}, {"version": "0", "lessThan": "6.3", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.122", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.68", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.8", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.6.122"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.12.68"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.18.8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042"}, {"url": "https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e"}, {"url": "https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0"}, {"url": "https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d"}], "title": "uacce: fix isolate sysfs check condition", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA5AD755-3F64-45B9-8709-1D24A061B353", "versionEndExcluding": "6.6.122", "versionStartIncluding": "6.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "52F38E19-0FDD-4992-9D6D-D4169D689598", "versionEndExcluding": "6.12.68", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "E65C6E79-7EBE-4C77-93F0-818CF5B38F4E", "versionEndExcluding": "6.18.8", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*", "matchCriteriaId": "17B67AA7-40D6-4AFA-8459-F200F3D7CFD1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*", "matchCriteriaId": "C47E4CC9-C826-4FA9-B014-7FE3D9B318B2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*", "matchCriteriaId": "F71D92C0-C023-48BD-B3B6-70B638EEE298", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*", "matchCriteriaId": "13580667-0A98-40CC-B29F-D12790B91BDB", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*", "matchCriteriaId": "CAD1FED7-CF48-47BF-AC7D-7B6FA3C065FC", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*", "matchCriteriaId": "3EF854A1-ABB1-4E93-BE9A-44569EC76C0D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuacce: fix isolate sysfs check condition\n\nuacce supports the device isolation feature. If the driver\nimplements the isolate_err_threshold_read and\nisolate_err_threshold_write callback functions, uacce will create\nsysfs files now. Users can read and configure the isolation policy\nthrough sysfs. Currently, sysfs files are created as long as either\nisolate_err_threshold_read or isolate_err_threshold_write callback\nfunctions are present.\n\nHowever, accessing a non-existent callback function may cause the\nsystem to crash. Therefore, intercept the creation of sysfs if\nneither read nor write exists; create sysfs if either is supported,\nbut intercept unsupported operations at the call site."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nuacce: corregir la condici\u00f3n de verificaci\u00f3n de sysfs de aislamiento\n\nuacce soporta la caracter\u00edstica de aislamiento de dispositivos. Si el controlador implementa las funciones de callback isolate_err_threshold_read e isolate_err_threshold_write, uacce crear\u00e1 archivos sysfs ahora. Los usuarios pueden leer y configurar la pol\u00edtica de aislamiento a trav\u00e9s de sysfs. Actualmente, los archivos sysfs se crean siempre que est\u00e9n presentes las funciones de callback isolate_err_threshold_read o isolate_err_threshold_write.\n\nSin embargo, acceder a una funci\u00f3n de callback inexistente puede causar que el sistema falle. Por lo tanto, interceptar la creaci\u00f3n de sysfs si no existe ni lectura ni escritura; crear sysfs si se soporta cualquiera de los dos, pero interceptar las operaciones no soportadas en el sitio de la llamada."}], "id": "CVE-2026-23094", "lastModified": "2026-03-17T21:09:04.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T17:16:20.273", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: uacce: fix isolate sysfs check condition", "id": "2436820", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2436820"}, "csaw": false, "details": ["No description is available for this CVE."], "name": "CVE-2026-23094", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23094\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23094\nhttps://lore.kernel.org/linux-cve-announce/2026020426-CVE-2026-23094-9cb7@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-04-18T13:51:57.707495+00:00", "value": {"mitigation_remediation": ["Upgrade to a kernel version that includes the uacce isolation sysfs fix (stable 6.19 or later).", "If an upgrade cannot yet be applied, unload or disable the uacce driver or prevent the hardware that triggers it from being initialized to avoid the crash until a patched kernel is available.", "Apply the upstream kernel patch that restores the conditional check for the existence of callback functions (commit 82821a6) to fix the null pointer dereference if you maintain a custom kernel build."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service \u2013 system crash via invalid sysfs access"}, "threat_synthesis": {"affected_systems": "All Linux kernel configurations that ship the uacce driver before the fix, specifically kernel 6.19 release candidates rc1 through rc6 and any derivative kernels that have not applied the patch. Any distribution that retains the unpatched code will be affected until the kernel is updated to the fixed version.", "description_and_impact": "The Linux kernel\u2019s uacce driver manages device isolation by creating sysfs entries when callback functions for reading or writing isolation thresholds are present. A logic error caused the driver to attempt to use a callback even when it was absent, leading the kernel to dereference a null pointer and crash. The crash results in a denial\u2011of\u2011service condition that brings the entire system down, with no data loss but an interruption of availability.", "risk_and_exploitability": "The CVSS score of 5.5 rates the vulnerability as moderate. EPSS below 1% indicates a low current exploitation likelihood. The attack vector is local, requiring the ability to register a device that loads the uacce driver or to write to its sysfs interfaces. Since the flaw manifests when the driver creates entries for nonexistent callbacks, a user with root or local device\u2011management privileges could trigger it. No exploits are recorded in the KEV catalog; the risk is operational rather than financial."}}}}, "created": "2026-04-18T14:00:02.183303+00:00", "title": "Linux Kernel uacce Sysfs Crash via Null Callback Access", "updated": "2026-04-18T14:00:02.183317+00:00", "vendors": [], "weaknesses": ["CWE-476"]}