{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23288", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:47.458Z", "dateUpdated": "2026-03-25T10:26:47.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:47.458Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "13ae1a6000f7d8b09478e3128e87d45e89c7282f", "lessThan": "cca770d710d5e03bc814af585cd6975eb6d74074", "status": "affected", "versionType": "git"}, {"version": "3d32eb7a5ecff92d83a5fd34c45c171c17d3d5d0", "lessThan": "1110a949675ebd56b3f0286e664ea543f745801c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "7.0-rc1", "status": "affected"}, {"version": "0", "lessThan": "7.0-rc1", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0-rc1", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}, {"url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}], "title": "accel/amdxdna: Fix out-of-bounds memset in command slot handling", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}], "id": "CVE-2026-23288", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:23.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: accel/amdxdna: Fix out-of-bounds memset in command slot handling", "id": "2451274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451274"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's accel/amdxdna component. This vulnerability occurs when clearing a command header with `memset()` before verifying the available slot space, which can be smaller than the header size. This can lead to an out-of-bounds write and memory corruption. An attacker could potentially exploit this to cause a denial of service or other unpredictable system behavior."], "name": "CVE-2026-23288", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23288\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23288\nhttps://lore.kernel.org/linux-cve-announce/2026032524-CVE-2026-23288-1d11@gregkh/T"]}

{"analysis": {"en": {"generated_at": "2026-03-25T13:08:40.187404+00:00", "value": {"mitigation_remediation": ["Apply a kernel update that includes the commit moving the memset after size validation (e.g., commit 1110a949675ebd56b3f0286e664ea543f745801c).", "If a kernel update is not immediately available, restrict access to the AMD XDNA device to trusted users or disable the device/module to reduce exposure.", "Verify that the patched code is present by checking the kernel source or package metadata for the relevant commit.", "Monitor vendor advisories for further updates or mitigations."], "summary": {"action": "Patch", "impact": "Kernel memory corruption"}, "threat_synthesis": {"affected_systems": "Any Linux kernel that includes the accel/amdxdna module and has not yet incorporated the patch that moves the memset() after the size validation is affected. The advisory does not list specific kernel releases, so versions from recent distributions that have not applied the commits (e.g., those before the integration of commit 1110a949675ebd56b3f0286e664ea543f745801c) remain vulnerable. Kernel maintainers should verify that the code contains the updated logic or does not ship the vulnerable module.", "description_and_impact": "The flaw occurs in the accel/amdxdna driver of the Linux kernel. A call to memset() clears the command header before the driver verifies that the command slot is large enough to hold the data. If the available space is smaller than the header size, the memset() writes past the end of the buffer, corrupting memory in the kernel. This out\u2011of\u2011bounds write can overwrite kernel data structures and potentially allow an attacker to gain elevated privileges or execute arbitrary code at kernel level. The weakness is classified as a classic buffer overflow (CWE\u2011119).", "risk_and_exploitability": "No CVSS score is provided, and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to send a crafted command to the AMD XDNA interface exposed by the driver. Thus, environments where the interface is reachable by untrusted users or processes pose a higher risk. While the exact likelihood of exploitation cannot be quantified from the available data, the memory corruption could be leveraged for privilege escalation if successfully triggered. Administrators should treat the issue as a risk requiring timely patching."}}}}, "created": "2026-03-25T21:15:42.288140+00:00", "updated": "2026-03-25T21:15:42.288171+00:00", "vendors": []}