CVE-2026-23366 - Vulnerability Details

- drm/client: Do not destroy NULL modes

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/client: Do not destroy NULL modes

'modes' in drm_client_modeset_probe may fail to kcalloc. If this
occurs, we jump to 'out', calling modes_destroy on it, which
dereferences it. This may result in a NULL pointer dereference in the
error case. Prevent that.

Published: 2026-03-25

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing null check in the DRM client’s mode‑set probe allows a failure in memory allocation to trigger a null pointer dereference when the code attempts to destroy the partially created mode. This flaw can cause the kernel to crash, resulting in a denial of service. The weakness is a classic CWE‑824 scenario involving premature free or use of uninitialized memory.

Affected Systems

The vulnerability affects the Linux kernel’s DRM client module. The CPE string indicates all Linux kernel builds are potentially impacted. No specific kernel versions are listed, so any kernel that includes the DRM subsystem and has not yet applied the upstream patch is vulnerable.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not catalogued in CISA’s KEV list. Based on the description, the likely attack vector is local: a user or process that can trigger the DRM mode‑set path could cause the crash. Remote exploitation is not explicitly supported or required by the data provided.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3039cc0c0653c6e15130a8719c3237329a954670`	affected	< 4e3ca5f82346cc23c0a71f1ceb006115ff6b0745
`3039cc0c0653c6e15130a8719c3237329a954670`	affected	< 9aa3e33f0c7f2679ac599a09e3102c8f716a6321
`3039cc0c0653c6e15130a8719c3237329a954670`	affected	< c601fd5414315fc515f746b499110e46272e7243

Linux

affected

Version	Status	Constraints
`6.16`	affected	—
`0`	unaffected	< 6.16
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.16:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3039cc0c0653c6e15130a8719c3237329a954670,4e3ca5f82346cc23c0a71f1ceb006115ff6b0745)`	affected	code_commit	—
`[3039cc0c0653c6e15130a8719c3237329a954670,9aa3e33f0c7f2679ac599a09e3102c8f716a6321)`	affected	code_commit	—
`[3039cc0c0653c6e15130a8719c3237329a954670,c601fd5414315fc515f746b499110e46272e7243)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.16`	affected	generic	—
`[0,6.16)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that incorporates the fix for the null pointer dereference in drm_client_modeset_probe. The commit references in the official advisory point to the exact patch. If an immediate update is not possible, consider disabling the DRM subsystem or the specific driver until a patch is applied. Monitor system logs for DRM related errors and verify that the kernel is not attempting to free uninitialized mode structures.

Generated by OpenCVE AI on March 26, 2026 at 03:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4e3ca5f82346cc23c0a71f1ceb006115ff6b0745
https://git.kernel.org/stable/c/9aa3e33f0c7f2679ac599a09e3102c8f716a6321
https://git.kernel.org/stable/c/c601fd5414315fc515f746b499110e46272e7243
https://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23366-a7c4@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23366
https://www.cve.org/CVERecord?id=CVE-2026-23366

History

Fri, 24 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
CPEs		cpe:2.3:o:linux:linux_kernel:6.16:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23366-a7c4@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23366 https://www.cve.org/CVERecord?id=CVE-2026-23366
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: drm/client: Do not destroy NULL modes 'modes' in drm_client_modeset_probe may fail to kcalloc. If this occurs, we jump to 'out', calling modes_destroy on it, which dereferences it. This may result in a NULL pointer dereference in the error case. Prevent that.
Title		drm/client: Do not destroy NULL modes
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4e3ca5f82346cc23c0a71f1ceb006115ff6b0745 https://git.kernel.org/stable/c/9aa3e33f0c7f2679ac599a09e3102c8f716a6321 https://git.kernel.org/stable/c/c601fd5414315fc515f746b499110e46272e7243

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:48.311Z

Updated: 2026-04-13T06:05:55.022Z

Reserved: 2026-01-13T15:37:46.002Z

Link: CVE-2026-23366

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-03-25T11:16:35.873

Modified: 2026-04-24T18:41:12.913

Link: CVE-2026-23366

Redhat

Severity : Low

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23366 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-26T12:15:52Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object