{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23305", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:27:00.612Z", "dateUpdated": "2026-05-11T22:04:18.823Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:04:18.823Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/rocket: fix unwinding in error path in rocket_probe\n\nWhen rocket_core_init() fails (as could be the case with EPROBE_DEFER),\nwe need to properly unwind by decrementing the counter we just\nincremented and if this is the first core we failed to probe, remove the\nrocket DRM device with rocket_device_fini() as well. This matches the\nlogic in rocket_remove(). Failing to properly unwind results in\nout-of-bounds accesses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/rocket/rocket_drv.c"], "versions": [{"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "7fc4b49474c836cee7d9801abf05e0198fcbfa74", "status": "affected", "versionType": "git"}, {"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "eeaf28c8f4defe371a008a5ddefaf18abf534f81", "status": "affected", "versionType": "git"}, {"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "34f4495a7f72895776b81969639f527c99eb12b9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/rocket/rocket_drv.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74"}, {"url": "https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81"}, {"url": "https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9"}], "title": "accel/rocket: fix unwinding in error path in rocket_probe", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/rocket: fix unwinding in error path in rocket_probe\n\nWhen rocket_core_init() fails (as could be the case with EPROBE_DEFER),\nwe need to properly unwind by decrementing the counter we just\nincremented and if this is the first core we failed to probe, remove the\nrocket DRM device with rocket_device_fini() as well. This matches the\nlogic in rocket_remove(). Failing to properly unwind results in\nout-of-bounds accesses."}], "id": "CVE-2026-23305", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:26.347", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: accel/rocket: fix unwinding in error path in rocket_probe", "id": "2451194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451194"}, "csaw": false, "cwe": "CWE-772", "details": ["A flaw was found in the `accel/rocket` component of the Linux kernel. This vulnerability arises from improper error handling during the unwinding process in the `rocket_probe` function. When the `rocket_core_init()` function fails, the system does not correctly manage resources, leading to out-of-bounds accesses. This can result in system instability or a denial of service."], "name": "CVE-2026-23305", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23305\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23305\nhttps://lore.kernel.org/linux-cve-announce/2026032527-CVE-2026-23305-5fa4@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0810d5ad88a18f1e6d549853a388ad0316f74e36,7fc4b49474c836cee7d9801abf05e0198fcbfa74)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0810d5ad88a18f1e6d549853a388ad0316f74e36,eeaf28c8f4defe371a008a5ddefaf18abf534f81)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0810d5ad88a18f1e6d549853a388ad0316f74e36,34f4495a7f72895776b81969639f527c99eb12b9)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.18"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.18)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc1,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T14:03:40.694124+00:00", "value": {"mitigation_remediation": ["Update to a kernel version that includes the rocket driver fix", "Reboot the system after applying the kernel update", "If an update is not possible immediately, blacklist the rocket module to prevent loading it", "Monitor kernel logs for rocket_probe errors to identify unresolved issues"], "summary": {"action": "Patch Immediately", "impact": "Out-of-bounds kernel memory corruption"}, "threat_synthesis": {"affected_systems": "The affected product is the Linux kernel across all distributions. The CPE indicates cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. No specific vendor product versions are listed; the issue is present in any kernel build containing the rocket driver before the patch commit.", "description_and_impact": "The vulnerability exists in the Linux kernel's accel/rocket driver. During initialization, if rocket_core_init() fails, the error path incorrectly fails to decrement a counter and remove the rocket DRM device, leading to out-of-bounds accesses. This incorrect resource cleanup can corrupt kernel memory, potentially causing system crashes or privilege escalation.", "risk_and_exploitability": "The CVSS score is not provided, but the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low overall likelihood of exploitation. The flaw requires the driver to be loaded and for an error condition (such as EPROBE_DEFER) to occur, so the attack vector is largely local and dependent on kernel execution context."}}}}, "created": "2026-03-25T21:15:25.104702+00:00", "updated": "2026-03-27T09:50:02.263764+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}