Description
In the Linux kernel, the following vulnerability has been resolved:

accel/rocket: fix unwinding in error path in rocket_probe

When rocket_core_init() fails (as could be the case with EPROBE_DEFER),
we need to properly unwind by decrementing the counter we just
incremented and if this is the first core we failed to probe, remove the
rocket DRM device with rocket_device_fini() as well. This matches the
logic in rocket_remove(). Failing to properly unwind results in
out-of-bounds accesses.
Published: 2026-03-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds kernel memory corruption
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists in the Linux kernel's accel/rocket driver. During initialization, if rocket_core_init() fails, the error path incorrectly fails to decrement a counter and remove the rocket DRM device, leading to out-of-bounds accesses. This incorrect resource cleanup can corrupt kernel memory, potentially causing system crashes or privilege escalation.

Affected Systems

The affected product is the Linux kernel across all distributions. The CPE indicates cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*. No specific vendor product versions are listed; the issue is present in any kernel build containing the rocket driver before the patch commit.

Risk and Exploitability

The CVSS score is not provided, but the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a low overall likelihood of exploitation. The flaw requires the driver to be loaded and for an error condition (such as EPROBE_DEFER) to occur, so the attack vector is largely local and dependent on kernel execution context.

Generated by OpenCVE AI on March 26, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a kernel version that includes the rocket driver fix
  • Reboot the system after applying the kernel update
  • If an update is not possible immediately, blacklist the rocket module to prevent loading it
  • Monitor kernel logs for rocket_probe errors to identify unresolved issues

Generated by OpenCVE AI on March 26, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses.
Title accel/rocket: fix unwinding in error path in rocket_probe
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-13T06:04:01.841Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23305

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:26.347

Modified: 2026-03-25T15:41:33.977

Link: CVE-2026-23305

cve-icon Redhat

Severity :

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23305 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:50:02Z

Weaknesses