Description
In the Linux kernel, the following vulnerability has been resolved:

uacce: ensure safe queue release with state management

Directly calling `put_queue` carries risks since it cannot
guarantee that resources of `uacce_queue` have been fully released
beforehand. So adding a `stop_queue` operation for the
UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to
the final resource release ensures safety.

Queue states are defined as follows:
- UACCE_Q_ZOMBIE: Initial state
- UACCE_Q_INIT: After opening `uacce`
- UACCE_Q_STARTED: After `start` is issued via `ioctl`

When executing `poweroff -f` in virt while accelerator are still
working, `uacce_fops_release` and `uacce_remove` may execute
concurrently. This can cause `uacce_put_queue` within
`uacce_fops_release` to access a NULL `ops` pointer. Therefore, add
state checks to prevent accessing freed pointers.
Published: 2026-02-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw occurs when the Linux kernel’s uacce driver attempts to call the internal put_queue function without ensuring that the driver’s state has been properly transitioned to a safe release phase. This oversight can lead to a null pointer dereference of the ops structure during a concurrent poweroff operation on virtualized systems, causing the kernel to crash. The weakness is a classic null pointer dereference (CWE‑476).

Affected Systems

Linux kernel versions 6.19 RC1 through RC6 are affected; any host running those kernels without the latest patch is at risk. The patch also applies to earlier 6.19 releases that share the same vulnerable code path, though the CPE list specifically lists only the release candidates.

Risk and Exploitability

The CVSS score of 5.5 indicates medium severity, and the EPSS score of less than 1 % suggests that exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local privileged access: an attacker must be able to issue the UACCE_CMD_PUT_Q ioctl or otherwise trigger the put_queue function while a poweroff command is concurrently being executed, such as during a forced shutdown of a virtual machine that still has the accelerator device active. Successful exploitation would crash the kernel, resulting in a denial of service of the entire system.

Generated by OpenCVE AI on April 18, 2026 at 13:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that incorporates the fix, such as 6.19.1 or later.
  • If a kernel upgrade cannot be performed immediately, disable or remove the uacce driver from the system configuration to eliminate the vulnerable code path.
  • Modify shutdown procedures to ensure that any uacce resources are released before issuing a poweroff command, preventing the race condition that triggers the null pointer dereference.

Generated by OpenCVE AI on April 18, 2026 at 13:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4475-1 linux security update
Debian DLA Debian DLA DLA-4476-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6126-1 linux security update
Debian DSA Debian DSA DSA-6127-1 linux security update
Ubuntu USN Ubuntu USN USN-8162-1 Linux kernel (NVIDIA Tegra) vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-1 Linux kernel vulnerabilities
Ubuntu USN Ubuntu USN USN-8180-2 Linux kernel (FIPS) vulnerabilities
Ubuntu USN Ubuntu USN USN-8186-1 Linux kernel (Real-time) vulnerabilities
Ubuntu USN Ubuntu USN USN-8187-1 Linux kernel (NVIDIA) vulnerabilities
Ubuntu USN Ubuntu USN USN-8188-1 Linux kernel (HWE) vulnerabilities
History

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
CPEs cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Fri, 06 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
References

Thu, 05 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References

Wed, 04 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: - UACCE_Q_ZOMBIE: Initial state - UACCE_Q_INIT: After opening `uacce` - UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers.
Title uacce: ensure safe queue release with state management
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-02-09T08:38:02.269Z

Reserved: 2026-01-13T15:37:45.953Z

Link: CVE-2026-23063

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T17:16:16.987

Modified: 2026-03-13T21:28:17.910

Link: CVE-2026-23063

cve-icon Redhat

Severity :

Publid Date: 2026-02-04T00:00:00Z

Links: CVE-2026-23063 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:00:02Z

Weaknesses