{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23288", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:47.458Z", "dateUpdated": "2026-05-11T22:03:58.297Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:03:58.297Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "13ae1a6000f7d8b09478e3128e87d45e89c7282f", "lessThan": "cca770d710d5e03bc814af585cd6975eb6d74074", "status": "affected", "versionType": "git"}, {"version": "3d32eb7a5ecff92d83a5fd34c45c171c17d3d5d0", "lessThan": "1110a949675ebd56b3f0286e664ea543f745801c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "6.19.4", "lessThan": "6.19.7", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.7"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}, {"url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}], "title": "accel/amdxdna: Fix out-of-bounds memset in command slot handling", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad:\n\naccel/amdxdna: Correcci\u00f3n de memset fuera de l\u00edmites en el manejo de ranuras de comando\n\nEl espacio restante en una ranura de comando puede ser menor que el tama\u00f1o del encabezado de comando. Borrar el encabezado de comando con memset() antes de verificar el espacio de ranura disponible puede resultar en una escritura fuera de l\u00edmites y corrupci\u00f3n de memoria.\n\nEsto se corrige moviendo la llamada a memset() despu\u00e9s de la validaci\u00f3n del tama\u00f1o."}], "id": "CVE-2026-23288", "lastModified": "2026-04-02T15:16:30.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-03-25T11:16:23.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: accel/amdxdna: Fix out-of-bounds memset in command slot handling", "id": "2451274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451274"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's accel/amdxdna component. This vulnerability occurs when clearing a command header with `memset()` before verifying the available slot space, which can be smaller than the header size. This can lead to an out-of-bounds write and memory corruption. An attacker could potentially exploit this to cause a denial of service or other unpredictable system behavior."], "name": "CVE-2026-23288", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23288\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23288\nhttps://lore.kernel.org/linux-cve-announce/2026032524-CVE-2026-23288-1d11@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[13ae1a6000f7d8b09478e3128e87d45e89c7282f,cca770d710d5e03bc814af585cd6975eb6d74074)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d32eb7a5ecff92d83a5fd34c45c171c17d3d5d0,1110a949675ebd56b3f0286e664ea543f745801c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.0-rc1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,7.0-rc1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-02T16:44:40.834752+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel that includes the AMD XDNA driver fix.", "If an immediate kernel upgrade is not possible, unload or disable the accel/amdxdna module to prevent use of the vulnerable code path.", "Verify the running kernel version contains the commit 1110a949 (or equivalent) to confirm the patch is applied.", "Maintain alertness to new kernel exploits and apply future security updates as they become available."], "summary": {"action": "Immediate Patch", "impact": "Memory corruption that may enable arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in the Linux kernel inside the accel/amdxdna module. All kernel versions that include the uncov unpatched copy of this driver are affected. The specific versions impacted are not listed in the advisory, but the patch commit 1110a949 has been merged into the mainline kernel, so any system running a kernel older than the commit line is at risk.", "description_and_impact": "An out-of-bounds write occurs while clearing a command header in the Linux kernel's AMD XDNA acceleration driver. The memset call is performed before the code verifies that the command slot has sufficient space, allowing the buffer to be overwritten beyond its end. This memory corruption could enable an attacker to alter kernel memory or execute arbitrary code, compromising system integrity.", "risk_and_exploitability": "The CVSS score of 7.8 classifies it as a high severity issue. EPSS indicates a very low likelihood of exploitation (<1%), and it is not listed in the CISA KEV catalog. The flaw is local to systems that load the AMD XDNA driver; an attacker would need local or privileged access to exploit it. Nonetheless, due to the potential for kernel compromise, the risk justifies prompt correction."}}}}, "created": "2026-03-25T21:15:42.288140+00:00", "updated": "2026-04-02T20:23:10.833194+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}