Description
In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.

Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.

The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.

Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.
Published: 2026-03-18
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An incorrect routine in the Linux kernel’s DVB subsystem reinitializes a shared waitqueue each time a new reader opens a DVR device. The function used resets the waitqueue head, causing any existing waitqueue entries linked to io_uring or epoll to become orphaned with stale pointers. When the kernel later processes these entries, it can trigger a crash or hang, effectively denying service to all users of the affected device and possibly destabilizing the system.

Affected Systems

The flaw resides solely in the kernel’s dvb-core module, which is included in virtually every Linux distribution that enables DVB support. All kernel versions that compile or link with dvb-core are potentially vulnerable until the update is applied. Users who expose /dev/dvb/dvr devices—such as media servers, set‑top boxes, or embedded devices—are at risk.

Risk and Exploitability

The CVSS score of 7.8 indicates a high severity vulnerability, but the EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker with local access to the DVR device (e.g., a user able to open /dev/dvb/dvrX) can trigger the flaw, causing a kernel crash or service disruption. The attack vector is primarily local; remote exploitation would require the ability to interact with the device through privileged channels.

Generated by OpenCVE AI on April 2, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an updated Linux kernel that incorporates the dvb-core ringbuffer reinitialization fix.
  • If an immediate kernel upgrade is not possible, restrict or disable io_uring and epoll usage for the DVR device until patching is completed.
  • Continuously monitor system logs for kernel crashes or waitqueue errors that may indicate exploitation attempts.

Generated by OpenCVE AI on April 2, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Fri, 27 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-665

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-668

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-668

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 19 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 18 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.
Title media: dvb-core: fix wrong reinitialization of ringbuffer on reopen
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-02T14:44:00.996Z

Reserved: 2026-01-13T15:37:45.990Z

Link: CVE-2026-23253

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T18:16:23.383

Modified: 2026-04-02T15:16:27.310

Link: CVE-2026-23253

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-23253 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:23Z

Weaknesses

No weakness.