{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23354", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:38.825Z", "dateUpdated": "2026-03-25T10:27:38.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:38.825Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Correct speculative safety in fred_extint()\n\narray_index_nospec() is no use if the result gets spilled to the stack, as\nit makes the believed safe-under-speculation value subject to memory\npredictions.\n\nFor all practical purposes, this means array_index_nospec() must be used in\nthe expression that accesses the array.\n\nAs the code currently stands, it's the wrong side of irqentry_enter(), and\n'index' is put into %ebp across the function call.\n\nRemove the index variable and reposition array_index_nospec(), so it's\ncalculated immediately before the array access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/entry/entry_fred.c"], "versions": [{"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "e58f1a9b0677de24dcfee0b21393446ec92ff120", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "92caa5274b99cb6729177232a029ce0dfa6c5f7b", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "aa280a08e7d8fae58557acc345b36b3dc329d595", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/entry/entry_fred.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643"}, {"url": "https://git.kernel.org/stable/c/e58f1a9b0677de24dcfee0b21393446ec92ff120"}, {"url": "https://git.kernel.org/stable/c/92caa5274b99cb6729177232a029ce0dfa6c5f7b"}, {"url": "https://git.kernel.org/stable/c/aa280a08e7d8fae58557acc345b36b3dc329d595"}], "title": "x86/fred: Correct speculative safety in fred_extint()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Correct speculative safety in fred_extint()\n\narray_index_nospec() is no use if the result gets spilled to the stack, as\nit makes the believed safe-under-speculation value subject to memory\npredictions.\n\nFor all practical purposes, this means array_index_nospec() must be used in\nthe expression that accesses the array.\n\nAs the code currently stands, it's the wrong side of irqentry_enter(), and\n'index' is put into %ebp across the function call.\n\nRemove the index variable and reposition array_index_nospec(), so it's\ncalculated immediately before the array access."}], "id": "CVE-2026-23354", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:33.963", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92caa5274b99cb6729177232a029ce0dfa6c5f7b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa280a08e7d8fae58557acc345b36b3dc329d595"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e58f1a9b0677de24dcfee0b21393446ec92ff120"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: x86/fred: Correct speculative safety in fred_extint()", "id": "2451232", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451232"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1037", "details": ["A flaw was found in the Linux kernel. This vulnerability affects the handling of speculative execution, a technique used by modern processors to improve performance. A protection mechanism intended to prevent information leakage can be bypassed when its result is temporarily stored in memory, making it vulnerable to memory prediction attacks. This could allow a local attacker to potentially gain access to sensitive information or circumvent security safeguards."], "name": "CVE-2026-23354", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23354\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23354\nhttps://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23354-d9b2@gregkh/T"], "statement": "This flaw affects x86 systems using FRED (Flexible Return and Event Delivery) interrupt handling. The array_index_nospec() protection is ineffective when the sanitized value is spilled to stack before the array access, making it vulnerable to memory prediction attacks. FRED is a newer x86 feature not present on all systems, and exploiting this requires sophisticated speculative execution attacks.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:27:45.320853+00:00", "value": {"mitigation_remediation": ["Upgrade the Linux kernel to a version that includes the patch that moves array_index_nospec() before array access.", "Verify that the running kernel contains the patch, for example by inspecting the source or kernel changelog.", "If using a custom or older kernel, apply the patch manually or rebuild the kernel with the updated source.", "As a temporary measure, restrict local users from gaining kernel privileges or disable services that could trigger fred_extint."], "summary": {"action": "Apply Patch", "impact": "Speculative Data Leak"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any Linux kernel build for x86 that includes the fred path before the patch that relocates array_index_nospec(). Specific kernel versions are not enumerated in the advisory, so any kernel on x86 that predates the referenced commits is potentially impacted. Both 32\u2011bit and 64\u2011bit configurations are relevant.", "description_and_impact": "The Linux x86 kernel contains a flaw in the fred_extint routine where the array index helper array_index_nospec() is positioned after the entry into the interrupt handler, causing the calculated index to be stored in %ebp before the array is accessed. This allows speculative execution paths to reference memory locations that are not intended to be readable, creating a potential data\u2011leak channel that could expose kernel memory to a privileged attacker.", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, implying there are no publicly documented exploits. Exploitation requires a local attacker with kernel\u2011level privileges or the ability to trigger the fred_extint function, making the attack vector internal to the system. The risk to remote attackers is low, but systems with untrusted local users or compromised root accounts could use this flaw to read kernel memory."}}}}, "created": "2026-03-25T21:32:01.272696+00:00", "updated": "2026-03-25T21:32:01.272723+00:00", "vendors": [], "weaknesses": ["CWE-119", "CWE-846"]}