CVE-2026-23237 - Vulnerability Details

- platform/x86: classmate-laptop: Add missing NULL pointer checks

Description

In the Linux kernel, the following vulnerability has been resolved:

platform/x86: classmate-laptop: Add missing NULL pointer checks

In a few places in the Classmate laptop driver, code using the accel
object may run before that object's address is stored in the driver
data of the input device using it.

For example, cmpc_accel_sensitivity_store_v4() is the "show" method
of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(),
before calling dev_set_drvdata() for inputdev->dev. If the sysfs
attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev)
call in in cmpc_accel_sensitivity_store_v4() returns NULL which
leads to a NULL pointer dereference going forward.

Moreover, sysfs attributes using the input device are added before
initializing that device by cmpc_add_acpi_notify_device() and if one
of them is accessed before running that function, a NULL pointer
dereference will occur.

For example, cmpc_accel_sensitivity_attr_v4 is added before calling
cmpc_add_acpi_notify_device() and if it is read prematurely, the
dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4()
returns NULL which leads to a NULL pointer dereference going forward.

Fix this by adding NULL pointer checks in all of the relevant places.

Published: 2026-03-04

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A NULL pointer dereference occurs in the Linux kernel Classmate laptop driver when sysfs attributes are accessed before the driver’s input device data is fully initialized. The fault leads to a kernel crash (oops) because a dev_get_drvdata call returns NULL and the code continues without a check. This is a classic CWE‑476 vulnerability and can be triggered by reading or writing the exposed sysfs entries before the driver’s internal data is ready.

Affected Systems

The flaw affects the Linux kernel, specifically the Classmate laptop driver. Versions 2.6.33 (all RC releases) and 6.19 RC1‑RC8 are listed as impacted. Any kernel containing the legacy classmate‑laptop module without the NULL‑check patch is susceptible.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score is under 1 %, implying the attack probability is very low. The vulnerability is not present in CISA’s KEV list. The likely attack vector is a local escalation or privileged local user who can trigger the sysfs attributes on a system running an affected kernel. Exploitation requires the attacker to interact with the sysfs interface before the driver is fully initialized, causing a kernel crash that can result in loss of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< 993708fc18d0d0919db438361b4e8c1f980a8d1b
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< af673209d43b46257540997aba042b90ef3258c0
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< eb214804f03c829decf10998e9b7dd26f4c8ab9e
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< 9cf4b9b8ad09d6e05307abc4e951cabdff4be652
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< da6e06a5fdbabea3870d18c227734b5dea5b3be6
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< 97528b1622b8f129574d29a571c32a3c85eafa3c
`529aa8cb0a59367d08883f818e8c47028e819d0d`	affected	< fe747d7112283f47169e9c16e751179a9b38611e

Linux

affected

Version	Status	Constraints
`2.6.33`	affected	—
`0`	unaffected	< 2.6.33
`5.10.251`	unaffected	≤ 5.10.*
`5.15.201`	unaffected	≤ 5.15.*
`6.1.164`	unaffected	≤ 6.1.*
`6.6.127`	unaffected	≤ 6.6.*
`6.12.74`	unaffected	≤ 6.12.*
`6.18.13`	unaffected	≤ 6.18.*
`6.19`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:-::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc2::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc3::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc4::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc5::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc6::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc7::::::
	cpe:2.3:o:linux:linux_kernel:2.6.33:rc8::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc6::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc7::::::
	cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,993708fc18d0d0919db438361b4e8c1f980a8d1b)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,af673209d43b46257540997aba042b90ef3258c0)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,eb214804f03c829decf10998e9b7dd26f4c8ab9e)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,9cf4b9b8ad09d6e05307abc4e951cabdff4be652)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,da6e06a5fdbabea3870d18c227734b5dea5b3be6)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,97528b1622b8f129574d29a571c32a3c85eafa3c)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,fe747d7112283f47169e9c16e751179a9b38611e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[5.10.251,5.11.0)`	unaffected	semver	—
`[5.15.201,5.16.0)`	unaffected	semver	—
`[6.1.164,6.2.0)`	unaffected	semver	—
`[6.6.127,6.7.0)`	unaffected	semver	—
`[6.12.74,6.13.0)`	unaffected	semver	—
`[6.18.13,6.19.0)`	unaffected	semver	—
`[6.19,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release that contains the NULL‑pointer check fix for the Classmate laptop driver.
If you build a custom kernel, cherry‑pick the commit(s) that add the NULL checks to the driver and rebuild the kernel.
If an immediate patch cannot be applied, avoid accessing the sysfs attributes for the Classmate accelerator until the driver is updated; disabling those sysfs interfaces is a temporary mitigation.

Generated by OpenCVE AI on April 16, 2026 at 13:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4498-1	linux security update
Debian DLA	DLA-4499-1	linux-6.1 security update
Debian DSA	DSA-6163-1	linux security update
Debian DSA	DSA-6162-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/97528b1622b8f129574d29a571c32a3c85eafa3c
https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b
https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05307abc4e951cabdff4be652
https://git.kernel.org/stable/c/af673209d43b46257540997aba042b90ef3258c0
https://git.kernel.org/stable/c/da6e06a5fdbabea3870d18c227734b5dea5b3be6
https://git.kernel.org/stable/c/eb214804f03c829decf10998e9b7dd26f4c8ab9e
https://git.kernel.org/stable/c/fe747d7112283f47169e9c16e751179a9b38611e
https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23237-f6fb@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23237
https://www.cve.org/CVERecord?id=CVE-2026-23237

History

Tue, 17 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:2.6.33:-:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc2:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc3:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc4:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc5:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc6:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc7:::::: cpe:2.3:o:linux:linux_kernel:2.6.33:rc8:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc5:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc6:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc7:::::: cpe:2.3:o:linux:linux_kernel:6.19:rc8::::::

Thu, 05 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026030436-CVE-2026-23237-f6fb@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23237 https://www.cve.org/CVERecord?id=CVE-2026-23237
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 04 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: platform/x86: classmate-laptop: Add missing NULL pointer checks In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it. For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev) call in in cmpc_accel_sensitivity_store_v4() returns NULL which leads to a NULL pointer dereference going forward. Moreover, sysfs attributes using the input device are added before initializing that device by cmpc_add_acpi_notify_device() and if one of them is accessed before running that function, a NULL pointer dereference will occur. For example, cmpc_accel_sensitivity_attr_v4 is added before calling cmpc_add_acpi_notify_device() and if it is read prematurely, the dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4() returns NULL which leads to a NULL pointer dereference going forward. Fix this by adding NULL pointer checks in all of the relevant places.
Title		platform/x86: classmate-laptop: Add missing NULL pointer checks
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/97528b1622b8f129574d29a571c32a3c85eafa3c https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05307abc4e951cabdff4be652 https://git.kernel.org/stable/c/af673209d43b46257540997aba042b90ef3258c0 https://git.kernel.org/stable/c/da6e06a5fdbabea3870d18c227734b5dea5b3be6 https://git.kernel.org/stable/c/eb214804f03c829decf10998e9b7dd26f4c8ab9e https://git.kernel.org/stable/c/fe747d7112283f47169e9c16e751179a9b38611e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-04T14:38:41.815Z

Updated: 2026-03-08T10:07:33.737Z

Reserved: 2026-01-13T15:37:45.988Z

Link: CVE-2026-23237

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-04T15:16:14.350

Modified: 2026-03-17T21:16:04.753

Link: CVE-2026-23237

Redhat

Severity : Low

Publid Date: 2026-03-04T00:00:00Z

Links: CVE-2026-23237 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object