CVE-2026-23236 - Vulnerability Details

- fbdev: smscufx: properly copy ioctl memory to kernelspace

Description

In the Linux kernel, the following vulnerability has been resolved:

fbdev: smscufx: properly copy ioctl memory to kernelspace

The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
userspace to kernelspace, and instead directly references the memory,
which can cause problems if invalid data is passed from userspace. Fix
this all up by correctly copying the memory before accessing it within
the kernel.

Published: 2026-03-04

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The smscufx framebuffer driver includes an ioctl, UFX_IOCTL_REPORT_DAMAGE, that is intended to copy data from user space into kernel memory before use. Instead, the implementation references the user pointer directly. Therefore, if an attacker supplies crafted data, the kernel may perform invalid memory accesses, corrupting kernel memory. Such corruption could allow arbitrary code execution or privilege escalation from a local user.

Affected Systems

This issue affects the Linux kernel as a whole, specifically the smscufx framebuffer driver in the fbdev subsystem. All kernel releases lacking the commit that corrects the copy operation are potentially vulnerable, regardless of distribution or patch level.

Risk and Exploitability

The CVSS score of 7.3 classifies the vulnerability as high severity, while an EPSS score of <1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no public exploitation has been reported. The attack vector is most likely local; an attacker with access to the /dev/smscufx device node can invoke the ioctl and supply malicious data, potentially leading to kernel memory corruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 061cfeb560aa3ddc174153dbe5be9d0b55eb7248
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 6167af934f956d3ae1e06d61f45cd0d1004bbe1a
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< a0321e6e58facb39fe191caa0e52ed9aab6a48fe
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 0634e8d650993602fc5b389ff7ac525f6542e141
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 52917e265aa5f848212f60fc50fc504d8ef12866
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 1c008ad0f0d1c1523902b9cdb08e404129677bfc
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02
`3c8a63e22a0802fd56380f6ab305b419f18eb6f5`	affected	< 120adae7b42faa641179270c067864544a50ab69

Linux

affected

Version	Status	Constraints
`3.2`	affected	—
`0`	unaffected	< 3.2
`5.10.251`	unaffected	≤ 5.10.*
`5.15.201`	unaffected	≤ 5.15.*
`6.1.164`	unaffected	≤ 6.1.*
`6.6.127`	unaffected	≤ 6.6.*
`6.12.74`	unaffected	≤ 6.12.*
`6.18.13`	unaffected	≤ 6.18.*
`6.19.3`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,061cfeb560aa3ddc174153dbe5be9d0b55eb7248)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0634e8d650993602fc5b389ff7ac525f6542e141)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,120adae7b42faa641179270c067864544a50ab69)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1c008ad0f0d1c1523902b9cdb08e404129677bfc)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,52917e265aa5f848212f60fc50fc504d8ef12866)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6167af934f956d3ae1e06d61f45cd0d1004bbe1a)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,a0321e6e58facb39fe191caa0e52ed9aab6a48fe)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.251,5.11.0)`	unaffected	semver	—
`[5.15.201,5.16.0)`	unaffected	semver	—
`[6.1.164,6.2.0)`	unaffected	semver	—
`[6.6.127,6.7.0)`	unaffected	semver	—
`[6.12.74,6.13.0)`	unaffected	semver	—
`[6.18.13,6.19.0)`	unaffected	semver	—
`[6.19.3,6.20.0)`	unaffected	semver	—
`[7.0-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a version that includes the smscufx ioctl copy fix (apply the relevant commit).
If an immediate kernel update is not possible, unload or disable the smscufx framebuffer driver to eliminate the vulnerable interface.
Restrict permissions on the smscufx device node so that only privileged users can invoke the ioctl, thereby reducing the attack surface.
Monitor kernel logs for anomalous access or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4498-1	linux security update
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6163-1	linux security update
Debian DSA	DSA-6162-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248
https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141
https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69
https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc
https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866
https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a
https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe
https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02
https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23236-b419@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23236
https://www.cve.org/CVERecord?id=CVE-2026-23236

History

Thu, 02 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H'}`

Tue, 17 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 05 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026030440-CVE-2026-23236-b419@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23236 https://www.cve.org/CVERecord?id=CVE-2026-23236

Wed, 04 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel.
Title		fbdev: smscufx: properly copy ioctl memory to kernelspace
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248 https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141 https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69 https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866 https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-04T14:36:40.162Z

Updated: 2026-04-13T06:02:53.775Z

Reserved: 2026-01-13T15:37:45.988Z

Link: CVE-2026-23236

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-03-04T15:16:14.173

Modified: 2026-04-02T15:16:24.923

Link: CVE-2026-23236

Redhat

Severity :

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2026-23236 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object