CVE-2026-23285 - Vulnerability Details

- drbd: fix null-pointer dereference on local read error

Description

In the Linux kernel, the following vulnerability has been resolved:

drbd: fix null-pointer dereference on local read error

In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to
__req_mod() with a NULL peer_device:

__req_mod(req, what, NULL, &m);

The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this
NULL peer_device to drbd_set_out_of_sync(), which dereferences it,
causing a null-pointer dereference.

Fix this by obtaining the peer_device via first_peer_device(device),
matching how drbd_req_destroy() handles the same situation.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null‑pointer dereference occurs in the Linux kernel’s DRBD subsystem when a local read failure triggers the READ_COMPLETED_WITH_ERROR handler, which passes a NULL peer_device to drbd_set_out_of_sync(). The dereference can crash the kernel, resulting in a denial of service. This weakness is a classical null‑pointer dereference (CWE‑476).

Affected Systems

The vulnerability is present in the Linux kernel’s DRBD module. No specific kernel releases are listed in the data, so any systems running an affected kernel that has not applied the patch may be impacted.

Risk and Exploitability

The vulnerability is not listed in CISA’s KEV catalog and has an EPSS score below 1 %, indicating very low probability of exploitation in the wild. The exploit would require triggering a local read error on a DRBD device, which is likely only achievable by an attacker with local or kernel‑level access to the host. Consequently, the threat surface is limited to privileged or local attackers, and remote exploitation does not appear feasible based on the available information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`0d11f3cf279c5ad20a41f29242f170ba3c02f2da`	affected	< 6f1d1614f841d91a4169db65812ffd1271735b42
`0d11f3cf279c5ad20a41f29242f170ba3c02f2da`	affected	< 1e906c08594c8f9a6a524f38ede2c4e051196106
`0d11f3cf279c5ad20a41f29242f170ba3c02f2da`	affected	< 4e8935053ba389ae8d6685c10854d8021931bd89
`0d11f3cf279c5ad20a41f29242f170ba3c02f2da`	affected	< 91df51d2df0ca4fd3281f73626341563d64a98a5
`0d11f3cf279c5ad20a41f29242f170ba3c02f2da`	affected	< 0d195d3b205ca90db30d70d09d7bb6909aac178f

Linux

affected

Version	Status	Constraints
`6.4`	affected	—
`0`	unaffected	< 6.4
`6.6.130`	unaffected	≤ 6.6.*
`6.12.77`	unaffected	≤ 6.12.*
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,6f1d1614f841d91a4169db65812ffd1271735b42)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,1e906c08594c8f9a6a524f38ede2c4e051196106)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,4e8935053ba389ae8d6685c10854d8021931bd89)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,91df51d2df0ca4fd3281f73626341563d64a98a5)`	affected	generic	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,0d195d3b205ca90db30d70d09d7bb6909aac178f)`	affected	generic	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.130,6.6.*]`	unaffected	generic	—
`[6.12.77,6.12.*]`	unaffected	generic	—
`[6.18.17,6.18.*]`	unaffected	generic	—
`[6.19.7,6.19.*]`	unaffected	generic	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that includes the patch for CVE-2026-23285.
Restrict local access to DRBD devices by ensuring only authorized users and services can perform read/write operations, thereby limiting the ability to trigger a local read error.
Monitor system logs for Oops or panic messages related to kernel crashes and verify that the system remains stable after the update.

Generated by OpenCVE AI on May 22, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6238-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0d195d3b205ca90db30d70d09d7bb6909aac178f
https://git.kernel.org/stable/c/1e906c08594c8f9a6a524f38ede2c4e051196106
https://git.kernel.org/stable/c/4e8935053ba389ae8d6685c10854d8021931bd89
https://git.kernel.org/stable/c/6f1d1614f841d91a4169db65812ffd1271735b42
https://git.kernel.org/stable/c/91df51d2df0ca4fd3281f73626341563d64a98a5
https://lore.kernel.org/linux-cve-announce/2026032524-CVE-2026-23285-ad41@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23285
https://www.cve.org/CVERecord?id=CVE-2026-23285

History

Fri, 22 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026032524-CVE-2026-23285-ad41@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23285 https://www.cve.org/CVERecord?id=CVE-2026-23285
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Mar 2026 22:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drbd: fix null-pointer dereference on local read error In drbd_request_endio(), READ_COMPLETED_WITH_ERROR is passed to __req_mod() with a NULL peer_device: __req_mod(req, what, NULL, &m); The READ_COMPLETED_WITH_ERROR handler then unconditionally passes this NULL peer_device to drbd_set_out_of_sync(), which dereferences it, causing a null-pointer dereference. Fix this by obtaining the peer_device via first_peer_device(device), matching how drbd_req_destroy() handles the same situation.
Title		drbd: fix null-pointer dereference on local read error
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0d195d3b205ca90db30d70d09d7bb6909aac178f https://git.kernel.org/stable/c/1e906c08594c8f9a6a524f38ede2c4e051196106 https://git.kernel.org/stable/c/4e8935053ba389ae8d6685c10854d8021931bd89 https://git.kernel.org/stable/c/6f1d1614f841d91a4169db65812ffd1271735b42 https://git.kernel.org/stable/c/91df51d2df0ca4fd3281f73626341563d64a98a5

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:26:44.698Z

Updated: 2026-05-11T22:03:54.818Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23285

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:23.247

Modified: 2026-05-22T00:12:09.970

Link: CVE-2026-23285

Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23285 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-22T01:30:23Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object