{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23424", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.015Z", "datePublished": "2026-04-03T13:24:32.622Z", "dateUpdated": "2026-05-11T22:06:38.394Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:06:38.394Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Validate command buffer payload count\n\nThe count field in the command header is used to determine the valid\npayload size. Verify that the valid payload does not exceed the remaining\nbuffer space."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/amdxdna_ctx.c"], "versions": [{"version": "aac243092b707bb3018e951d470cc1a9bcbaba6c", "lessThan": "3464e751755172ddbb849c1bd92f5f59e95c59a1", "status": "affected", "versionType": "git"}, {"version": "aac243092b707bb3018e951d470cc1a9bcbaba6c", "lessThan": "3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2", "status": "affected", "versionType": "git"}, {"version": "aac243092b707bb3018e951d470cc1a9bcbaba6c", "lessThan": "901ec3470994006bc8dd02399e16b675566c3416", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/amdxdna_ctx.c"], "versions": [{"version": "6.14", "status": "affected"}, {"version": "0", "lessThan": "6.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.14", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3464e751755172ddbb849c1bd92f5f59e95c59a1"}, {"url": "https://git.kernel.org/stable/c/3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2"}, {"url": "https://git.kernel.org/stable/c/901ec3470994006bc8dd02399e16b675566c3416"}], "title": "accel/amdxdna: Validate command buffer payload count", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C726C48-356A-4304-8BC9-6D68C8757131", "versionEndExcluding": "6.18.17", "versionStartIncluding": "6.14.1", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "69245D10-0B71-485E-80C3-A64F077004D3", "versionEndExcluding": "6.19.7", "versionStartIncluding": "6.19", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.14:-:*:*:*:*:*:*", "matchCriteriaId": "7DE421BA-0600-4401-A175-73CAB6A6FB4E", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "02259FDA-961B-47BC-AE7F-93D7EC6E90C2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "58A9FEFF-C040-420D-8F0A-BFDAAA1DF258", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "1D2315C0-D46F-4F85-9754-F9E5E11374A6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*", "matchCriteriaId": "512EE3A8-A590-4501-9A94-5D4B268D6138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Validate command buffer payload count\n\nThe count field in the command header is used to determine the valid\npayload size. Verify that the valid payload does not exceed the remaining\nbuffer space."}], "id": "CVE-2026-23424", "lastModified": "2026-04-27T14:16:31.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-03T14:16:28.623", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3464e751755172ddbb849c1bd92f5f59e95c59a1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/901ec3470994006bc8dd02399e16b675566c3416"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: accel/amdxdna: Validate command buffer payload count", "id": "2454768", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454768"}, "csaw": false, "cwe": "CWE-787", "details": ["A flaw was found in the Linux kernel's accel/amdxdna component. This vulnerability arises from inadequate validation of the command buffer payload count, where the system fails to verify that the payload size does not exceed the available buffer space. An attacker could exploit this by providing a specially crafted command, potentially leading to memory corruption and system instability."], "name": "CVE-2026-23424", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23424\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23424\nhttps://lore.kernel.org/linux-cve-announce/2026040305-CVE-2026-23424-7b21@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac243092b707bb3018e951d470cc1a9bcbaba6c,3464e751755172ddbb849c1bd92f5f59e95c59a1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac243092b707bb3018e951d470cc1a9bcbaba6c,3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[aac243092b707bb3018e951d470cc1a9bcbaba6c,901ec3470994006bc8dd02399e16b675566c3416)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.14"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.14)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-04-28T21:51:01.632769+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel release or vendor patch that contains the fix for CVE-2026-23424", "If an immediate kernel upgrade is not possible, disable AMD XDNA acceleration by unloading the module or otherwise restricting access to the device", "Monitor kernel logs and system stability for signs of anomalous memory corruption or driver failures, and apply security updates as soon as they become available"], "summary": {"action": "Apply Patch", "impact": "Memory Corruption via Out-of-Bounds Write"}, "threat_synthesis": {"affected_systems": "All Linux kernel builds that compile the AMD XDNA acceleration module are affected. The CPE list indicates all Linux kernels, including kernel 6.14 and the 7.0 release candidates rc1 through rc7. Any kernel that contains the vulnerable code before the fix remains at risk.", "description_and_impact": "The Linux kernel contains a flaw in the AMD XDNA acceleration module where the command header field that counts payload items is not bounded against the remaining buffer size. This omission can cause an out-of-bounds write that corrupts adjacent kernel memory. An attacker who can supply malicious commands to the driver could overwrite critical data structures, potentially leading to privilege escalation or system instability. The type of weakness is a classic buffer overflow (CWE-787). The likely attack vector is an attacker with the ability to send crafted commands to the AMD XDNA driver; this is inferred from the description of the vulnerable code path.", "risk_and_exploitability": "The CVSS base score of 7.1 indicates high severity. The EPSS score is less than 1%, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting a low probability of large-scale exploitation. Nevertheless, because an attacker could write arbitrary kernel memory if they control command payloads, the potential impact is severe. The vulnerability can be leveraged for privilege escalation if an attacker can interact with the driver; no public exploit is available, but the risk remains theoretical."}}}}, "created": "2026-04-03T21:14:14.767112+00:00", "updated": "2026-04-28T22:00:14.122929+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}