{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23183", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.984Z", "datePublished": "2026-02-14T16:27:13.482Z", "dateUpdated": "2026-05-11T22:01:55.689Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:01:55.689Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: fix NULL pointer dereference when setting max\n\nAn issue was triggered:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:strcmp+0x10/0x30\n RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\n RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\n RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\n R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\n R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\n Call Trace:\n <TASK>\n dmemcg_limit_write.constprop.0+0x16d/0x390\n ? __pfx_set_resource_max+0x10/0x10\n kernfs_fop_write_iter+0x14e/0x200\n vfs_write+0x367/0x510\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f42697e1887\n\nIt was trriggered setting max without limitation, the command is like:\n\"echo test/region0 > dmem.max\". To fix this issue, add check whether\noptions is valid after parsing the region_name."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/cgroup/dmem.c"], "versions": [{"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14", "lessThan": "c13816e8fa23deec6a8d7465d9e637fd02683b5c", "status": "affected", "versionType": "git"}, {"version": "b168ed458ddecc176f3b9a1f4bcd83d7a4541c14", "lessThan": "43151f812886be1855d2cba059f9c93e4729460b", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["kernel/cgroup/dmem.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.10", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.10"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c13816e8fa23deec6a8d7465d9e637fd02683b5c"}, {"url": "https://git.kernel.org/stable/c/43151f812886be1855d2cba059f9c93e4729460b"}], "title": "cgroup/dmem: fix NULL pointer dereference when setting max", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/dmem: fix NULL pointer dereference when setting max\n\nAn issue was triggered:\n\n BUG: kernel NULL pointer dereference, address: 0000000000000000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\n Tainted: [O]=OOT_MODULE\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:strcmp+0x10/0x30\n RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\n RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\n RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\n R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\n R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\n Call Trace:\n <TASK>\n dmemcg_limit_write.constprop.0+0x16d/0x390\n ? __pfx_set_resource_max+0x10/0x10\n kernfs_fop_write_iter+0x14e/0x200\n vfs_write+0x367/0x510\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f42697e1887\n\nIt was trriggered setting max without limitation, the command is like:\n\"echo test/region0 > dmem.max\". To fix this issue, add check whether\noptions is valid after parsing the region_name."}, {"lang": "es", "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\ncgroup/dmem: correcci\u00f3n de desreferencia de puntero NULL al establecer el m\u00e1ximo\n\nUn problema se desencaden\u00f3:\n\n BUG: desreferencia de puntero NULL del kernel, direcci\u00f3n: 0000000000000000\n #PF: acceso de lectura de supervisor en modo kernel\n #PF: c\u00f3digo_de_error(0x0000) - p\u00e1gina no presente\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] SMP NOPTI\n CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\n Tainted: [O]=OOT_MODULE\n Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996),\n RIP: 0010:strcmp+0x10/0x30\n RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\n RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\n RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\n RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\n R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\n R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\n CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\n Rastro de Llamada:\n \n dmemcg_limit_write.constprop.0+0x16d/0x390\n ? __pfx_set_resource_max+0x10/0x10\n kernfs_fop_write_iter+0x14e/0x200\n vfs_write+0x367/0x510\n ksys_write+0x66/0xe0\n do_syscall_64+0x6b/0x390\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n RIP: 0033:0x7f42697e1887\n\nSe desencaden\u00f3 al establecer el m\u00e1ximo sin limitaci\u00f3n, el comando es como:\n\"echo test/region0 &gt; dmem.max\". Para solucionar este problema, a\u00f1adir una comprobaci\u00f3n de si las opciones son v\u00e1lidas despu\u00e9s de analizar el region_name."}], "id": "CVE-2026-23183", "lastModified": "2026-04-15T14:34:27.800", "metrics": {}, "published": "2026-02-14T17:15:56.067", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/43151f812886be1855d2cba059f9c93e4729460b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c13816e8fa23deec6a8d7465d9e637fd02683b5c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Deferred"}

{"bugzilla": {"description": "kernel: cgroup/dmem: fix NULL pointer dereference when setting max", "id": "2439890", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439890"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\ncgroup/dmem: fix NULL pointer dereference when setting max\nAn issue was triggered:\nBUG: kernel NULL pointer dereference, address: 0000000000000000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 0 P4D 0\nOops: Oops: 0000 [#1] SMP NOPTI\nCPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012\nTainted: [O]=OOT_MODULE\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996),\nRIP: 0010:strcmp+0x10/0x30\nRSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246\nRAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358\nRDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000\nRBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714\nR10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff\nR13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0\nCall Trace:\n<TASK>\ndmemcg_limit_write.constprop.0+0x16d/0x390\n? __pfx_set_resource_max+0x10/0x10\nkernfs_fop_write_iter+0x14e/0x200\nvfs_write+0x367/0x510\nksys_write+0x66/0xe0\ndo_syscall_64+0x6b/0x390\nentry_SYSCALL_64_after_hwframe+0x76/0x7e\nRIP: 0033:0x7f42697e1887\nIt was trriggered setting max without limitation, the command is like:\n\"echo test/region0 > dmem.max\". To fix this issue, add check whether\noptions is valid after parsing the region_name."], "name": "CVE-2026-23183", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23183\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23183\nhttps://lore.kernel.org/linux-cve-announce/2026021430-CVE-2026-23183-b758@gregkh/T"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b168ed458ddecc176f3b9a1f4bcd83d7a4541c14,c13816e8fa23deec6a8d7465d9e637fd02683b5c)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[b168ed458ddecc176f3b9a1f4bcd83d7a4541c14,43151f812886be1855d2cba059f9c93e4729460b)"}}], "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.10,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[6.19,*]"}}], "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-18T12:14:48.016483+00:00", "value": {"mitigation_remediation": ["Upgrade the kernel to a version that includes the null\u2011pointer check added to dmemcg_limit_write; the commit that resolves the issue is in releases newer than the 6.19.0\u2011rc6\u2011next build.", "If a kernel upgrade cannot be performed immediately, revoke write permissions on /sys/fs/cgroup/dmem/dmem.max for non\u2011privileged users or enforce tighter ACLs so that only trusted accounts can modify the file.", "Do not write to dmem.max without specifying a non\u2011zero limit; specifying an explicit resource quota prevents the null pointer dereference from being triggered."], "summary": {"action": "Apply Patch", "impact": "Kernel Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that implement the cgroup/dmem interface and lack the recent patch are vulnerable. The issue was observed in a 6.19.0-rc6-next build and is addressed in newer releases of the kernel. Distributions shipping kernel versions preceding the fix remain at risk regardless of other configuration settings.", "description_and_impact": "The flaw is a null pointer dereference that occurs in the Linux kernel\u2019s cgroup/dmem subsystem when an administrator writes to the dmem.max file without specifying a resource limit. The kernel then crashes into an Oops state, causing a kernel panic that renders the host system unavailable. This vulnerability does not grant code execution or privilege escalation on its own; its primary consequence is an availability loss for the affected machine.", "risk_and_exploitability": "With a CVSS score of 5.5 the engineering severity is moderate. An EPSS score of less than 1% indicates that the likelihood of real-world exploitation is currently extremely low, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred from the description: local access with the ability to write to /sys/fs/cgroup/dmem/dmem.max, typically requiring root or privileged access. When written to without a limit, the kernel panics, but no further compromise is possible beyond the denial of service."}}}}, "created": "2026-02-16T09:43:52.976608+00:00", "updated": "2026-04-18T12:15:15.790790+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"], "weaknesses": ["CWE-476"]}