{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23221", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.987Z", "datePublished": "2026-02-18T14:53:24.391Z", "dateUpdated": "2026-05-11T22:02:39.852Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:02:39.852Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix use-after-free in driver_override_show()\n\nThe driver_override_show() function reads the driver_override string\nwithout holding the device_lock. However, driver_override_store() uses\ndriver_set_override(), which modifies and frees the string while holding\nthe device_lock.\n\nThis can result in a concurrent use-after-free if the string is freed\nby the store function while being read by the show function.\n\nFix this by holding the device_lock around the read operation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bus/fsl-mc/fsl-mc-bus.c"], "versions": [{"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "c71dfb7833db7af652ee8f65011f14c97c47405d", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "c424e72cfa67e7e1477035058a8a659f2c0ea637", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "b1983840287303e0dfb401b1b6cecc5ea7471e90", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "dd8ba8c0c3f3916d4ee1e3a09da9cd5caff5d227", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "a2ae33e1c6361e960a4d00f7cf75d880b54f9528", "status": "affected", "versionType": "git"}, {"version": "1f86a00c1159fd77e66b1bd6ff1a183f4d46f34d", "lessThan": "148891e95014b5dc5878acefa57f1940c281c431", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/bus/fsl-mc/fsl-mc-bus.c"], "versions": [{"version": "5.10", "status": "affected"}, {"version": "0", "lessThan": "5.10", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.201", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.164", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.127", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.74", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.11", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.1", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "5.15.201"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.1.164"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.127"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.12.74"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.18.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.19.1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c71dfb7833db7af652ee8f65011f14c97c47405d"}, {"url": "https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637"}, {"url": "https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90"}, {"url": "https://git.kernel.org/stable/c/dd8ba8c0c3f3916d4ee1e3a09da9cd5caff5d227"}, {"url": "https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0"}, {"url": "https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528"}, {"url": "https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431"}], "title": "bus: fsl-mc: fix use-after-free in driver_override_show()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "99A7FD63-65A5-4FBC-ADC3-8C52BBF74B23", "versionEndExcluding": "5.15.201", "versionStartIncluding": "5.10", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "6892F74B-3F14-4500-9652-24A2ECB04144", "versionEndExcluding": "6.1.164", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A9F36A3-A685-48A0-84B4-6217052BD058", "versionEndExcluding": "6.6.127", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "C2968F55-D03F-42BE-A694-F0A37BC8CBE3", "versionEndExcluding": "6.12.74", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix use-after-free in driver_override_show()\n\nThe driver_override_show() function reads the driver_override string\nwithout holding the device_lock. However, driver_override_store() uses\ndriver_set_override(), which modifies and frees the string while holding\nthe device_lock.\n\nThis can result in a concurrent use-after-free if the string is freed\nby the store function while being read by the show function.\n\nFix this by holding the device_lock around the read operation."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nbus: fsl-mc: correcci\u00f3n de uso despu\u00e9s de liberaci\u00f3n en driver_override_show()\n\nLa funci\u00f3n driver_override_show() lee la cadena driver_override sin mantener el device_lock. Sin embargo, driver_override_store() utiliza driver_set_override(), que modifica y libera la cadena mientras mantiene el device_lock.\n\nEsto puede resultar en un uso despu\u00e9s de liberaci\u00f3n concurrente si la cadena es liberada por la funci\u00f3n store mientras es le\u00edda por la funci\u00f3n show.\n\nSolucionar esto manteniendo el device_lock alrededor de la operaci\u00f3n de lectura."}], "id": "CVE-2026-23221", "lastModified": "2026-03-18T14:50:04.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T16:22:31.820", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c71dfb7833db7af652ee8f65011f14c97c47405d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/dd8ba8c0c3f3916d4ee1e3a09da9cd5caff5d227"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: bus: fsl-mc: fix use-after-free in driver_override_show()", "id": "2440662", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440662"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-23221", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23221\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23221\nhttps://lore.kernel.org/linux-cve-announce/2026021806-CVE-2026-23221-43ae@gregkh/T"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a2ae33e1c6361e960a4d00f7cf75d880b54f9528)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.11,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.1,6.20.0)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-15T16:16:57.053169+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that holds the device_lock around driver_override_show, as outlined in the available commit history.", "If the fsl\u2011mc driver is not required, unload the driver or disable its driver_override interface to remove the attack surface.", "Restrict write access to the driver_override sysfs entry to privileged users only to prevent accidental or malicious unlocking."], "summary": {"action": "Immediate Patch", "impact": "Memory corruption leading to loss of integrity and possible denial of service"}, "threat_synthesis": {"affected_systems": "All Linux kernel installations that include the fsl\u2011mc driver are potentially affected. No specific kernel version range is listed, so any build containing the vulnerable code path should apply the patch when available.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free in the fsl\u2011mc driver\u2019s driver_override_show() function. The show routine reads the driver_override string without holding the device_lock, while the store routine may free the string under the lock. A concurrent request can therefore trigger a use\u2011after\u2011free, corrupting kernel memory, crashing the system, or, in the worst case, enabling arbitrary code execution.", "risk_and_exploitability": "The CVSS score of 7.8 reflects a high\u2011moderate severity with a low exploit probability (EPSS < 1%). The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is likely local privileged access to the fsl\u2011mc driver interface, where an attacker can trigger the store and show operations concurrently to exploit the use\u2011after\u2011free."}}}}, "created": "2026-02-19T10:11:50.247760+00:00", "updated": "2026-04-15T17:30:10.421596+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}