{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23348", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.999Z", "datePublished": "2026-03-25T10:27:34.462Z", "dateUpdated": "2026-03-25T10:27:34.462Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:34.462Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\n\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev->parent that points to &nvdimm_bus->dev.\n\n[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[ 192.899459] RIP: 0010:kobject_get+0xc/0x90\n[ 192.924871] Call Trace:\n[ 192.925959] <TASK>\n[ 192.926976] ? pm_runtime_init+0xb9/0xe0\n[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]\n[ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]\n[ 192.943349] really_probe+0xde/0x380\n\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\n driver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\n cxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in\n devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\n will exit with -EBUSY.\n\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/cxl/core/pmem.c", "drivers/cxl/cxl.h", "drivers/cxl/pmem.c"], "versions": [{"version": "8fdcb1704f61a8fd9be0f3849a174d084def0666", "lessThan": "5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7", "status": "affected", "versionType": "git"}, {"version": "8fdcb1704f61a8fd9be0f3849a174d084def0666", "lessThan": "5b230daeee420833287cc77314439903e5312f10", "status": "affected", "versionType": "git"}, {"version": "8fdcb1704f61a8fd9be0f3849a174d084def0666", "lessThan": "96a1fd0d84b17360840f344826897fa71049870e", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/cxl/core/pmem.c", "drivers/cxl/cxl.h", "drivers/cxl/pmem.c"], "versions": [{"version": "5.14", "status": "affected"}, {"version": "0", "lessThan": "5.14", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.14", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7"}, {"url": "https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10"}, {"url": "https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e"}], "title": "cxl: Fix race of nvdimm_bus object when creating nvdimm objects", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\n\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev->parent that points to &nvdimm_bus->dev.\n\n[ 192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[ 192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[ 192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[ 192.899459] RIP: 0010:kobject_get+0xc/0x90\n[ 192.924871] Call Trace:\n[ 192.925959] <TASK>\n[ 192.926976] ? pm_runtime_init+0xb9/0xe0\n[ 192.929712] __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[ 192.933314] __nvdimm_create+0x206/0x290 [libnvdimm]\n[ 192.936662] cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[ 192.940245] cxl_bus_probe+0x1a/0x60 [cxl_core]\n[ 192.943349] really_probe+0xde/0x380\n\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\n driver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\n cxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in\n devm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\n will exit with -EBUSY.\n\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]"}], "id": "CVE-2026-23348", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:33.050", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5b230daeee420833287cc77314439903e5312f10"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5fc4e150c5ada5f7d20d8f9f1b351f10481fbdf7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/96a1fd0d84b17360840f344826897fa71049870e"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: cxl: Fix race of nvdimm_bus object when creating nvdimm objects", "id": "2451259", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451259"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-820", "details": ["A flaw was found in the Linux kernel, specifically within the CXL (Compute Express Link) and NVDIMM (Non-Volatile Dual In-line Memory Module) subsystems. A race condition can occur when NVDIMM objects attempt to reprobe after the `cxl_acpi` module is removed, while the `nvdimm_bus` object is missing. This can lead to a null pointer dereference, causing the system to crash and resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23348", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23348\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23348\nhttps://lore.kernel.org/linux-cve-announce/2026032536-CVE-2026-23348-e792@gregkh/T"], "statement": "This flaw affects systems with CXL memory devices and NVDIMM support. The race occurs during module unload/reload sequences when orphaned nvdimm objects reprobe after cxl_acpi removal. The missing nvdimm_bus causes NULL dereference in __nd_device_register(). Primarily affects CXL-capable systems during module operations.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T13:05:56.996270+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel release that incorporates the commit fixing the CXL NVDIMM race condition, or backport the relevant patch into your custom kernel.", "Rebuild and install the kernel after the patch is applied to ensure the fix is active.", "Verify that the cxl_acpi and cxl_pmem drivers remain loaded until all CXL/NVDIMM devices are fully initialized, and avoid prematurely removing them.", "Monitor kernel logs for occurrences of \"BUG: kernel NULL pointer dereference\" related to cxl or nvdimm, and re\u2011apply the patch if the issue recurs."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that include the CXL and NVDIMM kernel modules before the given commit are affected. This includes upstream kernels and any vendor kernel packages or custom builds that contain those drivers. The issue can surface in virtualised environments such as QEMU running the cxl-translate test suite, as well as in physical systems that expose CXL devices or hot\u2011plug CXL/NVDIMM hardware.", "description_and_impact": "The kernel contains a race condition in the CXL driver that causes an orphaned nvdimm_bus object to be dereferenced while a new nvdimm device is being created. The bug leads to a NULL pointer dereference inside __nd_device_register(), resulting in a BUG: kernel NULL pointer dereference and a kernel panic. The impact is a loss of availability; it does not provide privilege escalation or code execution capabilities. The flaw is triggered during device enumeration when cxl_acpi is removed before the nvdimm probe finishes, which can be observed by adding a delay in unit tests.", "risk_and_exploitability": "The CVSS score is not provided and EPSS data are missing, so quantitative risk cannot be determined. The vulnerability is not listed in the CISA KEV catalog. Because the bug arises from a timing race during driver enumeration, an attacker would need to trigger the race by manipulating device removal or power events, which is non\u2011trivial and likely limited to environments with privileged access. However, a successful race would still result in a kernel panic and a denial of service, which is a high\u2011impact outcome."}}}}, "created": "2026-03-25T21:32:06.888108+00:00", "updated": "2026-03-25T21:32:06.888185+00:00", "vendors": [], "weaknesses": ["CWE-476", "CWE-362"]}