Description
In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Fix out-of-bounds memset in command slot handling

The remaining space in a command slot may be smaller than the size of
the command header. Clearing the command header with memset() before
verifying the available slot space can result in an out-of-bounds write
and memory corruption.

Fix this by moving the memset() call after the size validation.
Published: 2026-03-25
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An out-of-bounds write occurs while clearing a command header in the Linux kernel's AMD XDNA acceleration driver. The memset call is performed before the code verifies that the command slot has sufficient space, allowing the buffer to be overwritten beyond its end. This memory corruption could enable an attacker to alter kernel memory or execute arbitrary code, compromising system integrity.

Affected Systems

The vulnerability is present in the Linux kernel inside the accel/amdxdna module. All kernel versions that include the unpatched copy of this driver are affected. The specific versions impacted are not listed in the advisory, but the patch commit 1110a949 has been merged into the mainline kernel, so any system running a kernel older than the commit line is at risk.

Risk and Exploitability

The CVSS score of 7.8 classifies it as a high severity issue. EPSS indicates a very low likelihood of exploitation (<1%), and it is not listed in the CISA KEV catalog. The flaw is local to systems that load the AMD XDNA driver; based on the description, it is inferred that an attacker would need local or privileged access to exploit it. Nonetheless, due to the potential for kernel compromise, the risk justifies prompt correction.

Generated by OpenCVE AI on May 29, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel that includes the AMD XDNA driver fix.
  • If an immediate kernel upgrade is not possible, unload or disable the accel/amdxdna module to prevent use of the vulnerable code path.
  • Maintain alertness to new kernel exploits and apply future security updates as they become available.

Generated by OpenCVE AI on May 29, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with memset() before verifying the available slot space can result in an out-of-bounds write and memory corruption. Fix this by moving the memset() call after the size validation.
Title accel/amdxdna: Fix out-of-bounds memset in command slot handling
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:03:58.297Z

Reserved: 2026-01-13T15:37:45.992Z

Link: CVE-2026-23288

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T11:16:23.767

Modified: 2026-06-17T10:21:15.733

Link: CVE-2026-23288

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23288 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:15:04Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-131

    Incorrect Calculation of Buffer Size