{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23369", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.003Z", "datePublished": "2026-03-25T10:27:50.705Z", "dateUpdated": "2026-03-25T10:27:50.705Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:50.705Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Revert \"i2c: i801: replace acpi_lock with I2C bus lock\"\n\nThis reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1.\n\nUnder rare circumstances, multiple udev threads can collect i801 device\ninfo on boot and walk i801_acpi_io_handler somewhat concurrently. The\nfirst will note the area is reserved by acpi to prevent further touches.\nThis ultimately causes the area to be deregistered. The second will\nenter i801_acpi_io_handler after the area is unregistered but before a\ncheck can be made that the area is unregistered. i2c_lock_bus relies on\nthe now unregistered area containing lock_ops to lock the bus. The end\nresult is a kernel panic on boot with the following backtrace;\n\n[ 14.971872] ioatdma 0000:09:00.2: enabling device (0100 -> 0102)\n[ 14.971873] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 14.971880] #PF: supervisor read access in kernel mode\n[ 14.971884] #PF: error_code(0x0000) - not-present page\n[ 14.971887] PGD 0 P4D 0\n[ 14.971894] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 14.971900] CPU: 5 PID: 956 Comm: systemd-udevd Not tainted 5.14.0-611.5.1.el9_7.x86_64 #1\n[ 14.971905] Hardware name: XXXXXXXXXXXXXXXXXXXXXXX BIOS 1.20.10.SV91 01/30/2023\n[ 14.971908] RIP: 0010:i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.971929] Code: 00 00 49 8b 40 20 41 57 41 56 4d 8b b8 30 04 00 00 49 89 ce 41 55 41 89 d5 41 54 49 89 f4 be 02 00 00 00 55 4c 89 c5 53 89 fb <48> 8b 00 4c 89 c7 e8 18 61 54 e9 80 bd 80 04 00 00 00 75 09 4c 3b\n[ 14.971933] RSP: 0018:ffffbaa841483838 EFLAGS: 00010282\n[ 14.971938] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9685e01ba568\n[ 14.971941] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000000\n[ 14.971944] RBP: ffff9685ca22f028 R08: ffff9685ca22f028 R09: ffff9685ca22f028\n[ 14.971948] R10: 000000000000000b R11: 0000000000000580 R12: 0000000000000580\n[ 14.971951] R13: 0000000000000008 R14: ffff9685e01ba568 R15: ffff9685c222f000\n[ 14.971954] FS: 00007f8287c0ab40(0000) GS:ffff96a47f940000(0000) knlGS:0000000000000000\n[ 14.971959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 14.971963] CR2: 0000000000000000 CR3: 0000000168090001 CR4: 00000000003706f0\n[ 14.971966] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 14.971968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 14.971972] Call Trace:\n[ 14.971977] <TASK>\n[ 14.971981] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.971994] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.972003] ? acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972014] ? __die_body.cold+0x8/0xd\n[ 14.972021] ? page_fault_oops+0x132/0x170\n[ 14.972028] ? exc_page_fault+0x61/0x150\n[ 14.972036] ? asm_exc_page_fault+0x22/0x30\n[ 14.972045] ? i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.972061] acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972069] ? __pfx_i801_acpi_io_handler+0x10/0x10 [i2c_i801]\n[ 14.972085] acpi_ex_access_region+0x5b/0xd0\n[ 14.972093] acpi_ex_field_datum_io+0x73/0x2e0\n[ 14.972100] acpi_ex_read_data_from_field+0x8e/0x230\n[ 14.972106] acpi_ex_resolve_node_to_value+0x23d/0x310\n[ 14.972114] acpi_ds_evaluate_name_path+0xad/0x110\n[ 14.972121] acpi_ds_exec_end_op+0x321/0x510\n[ 14.972127] acpi_ps_parse_loop+0xf7/0x680\n[ 14.972136] acpi_ps_parse_aml+0x17a/0x3d0\n[ 14.972143] acpi_ps_execute_method+0x137/0x270\n[ 14.972150] acpi_ns_evaluate+0x1f4/0x2e0\n[ 14.972158] acpi_evaluate_object+0x134/0x2f0\n[ 14.972164] acpi_evaluate_integer+0x50/0xe0\n[ 14.972173] ? vsnprintf+0x24b/0x570\n[ 14.972181] acpi_ac_get_state.part.0+0x23/0x70\n[ 14.972189] get_ac_property+0x4e/0x60\n[ 14.972195] power_supply_show_property+0x90/0x1f0\n[ 14.972205] add_prop_uevent+0x29/0x90\n[ 14.972213] power_supply_uevent+0x109/0x1d0\n[ 14.972222] dev_uevent+0x10e/0x2f0\n[ 14.972228] uevent_show+0x8e/0x100\n[ 14.972236] dev_attr_show+0x19\n---truncated---"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-i801.c"], "versions": [{"version": "f707d6b9e7c18f669adfdb443906d46cfbaaa0c1", "lessThan": "9507f9953a2a5647eb42668d0c243fdbd7e72954", "status": "affected", "versionType": "git"}, {"version": "f707d6b9e7c18f669adfdb443906d46cfbaaa0c1", "lessThan": "1c72e7b0b442ce21a1348d9b8237cfddb67048eb", "status": "affected", "versionType": "git"}, {"version": "f707d6b9e7c18f669adfdb443906d46cfbaaa0c1", "lessThan": "c726273044a5a8308a889d19d6884135c0f3321d", "status": "affected", "versionType": "git"}, {"version": "f707d6b9e7c18f669adfdb443906d46cfbaaa0c1", "lessThan": "cfc69c2e6c699c96949f7b0455195b0bfb7dc715", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/i2c/busses/i2c-i801.c"], "versions": [{"version": "6.7", "status": "affected"}, {"version": "0", "lessThan": "6.7", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/9507f9953a2a5647eb42668d0c243fdbd7e72954"}, {"url": "https://git.kernel.org/stable/c/1c72e7b0b442ce21a1348d9b8237cfddb67048eb"}, {"url": "https://git.kernel.org/stable/c/c726273044a5a8308a889d19d6884135c0f3321d"}, {"url": "https://git.kernel.org/stable/c/cfc69c2e6c699c96949f7b0455195b0bfb7dc715"}], "title": "i2c: i801: Revert \"i2c: i801: replace acpi_lock with I2C bus lock\"", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Revert \"i2c: i801: replace acpi_lock with I2C bus lock\"\n\nThis reverts commit f707d6b9e7c18f669adfdb443906d46cfbaaa0c1.\n\nUnder rare circumstances, multiple udev threads can collect i801 device\ninfo on boot and walk i801_acpi_io_handler somewhat concurrently. The\nfirst will note the area is reserved by acpi to prevent further touches.\nThis ultimately causes the area to be deregistered. The second will\nenter i801_acpi_io_handler after the area is unregistered but before a\ncheck can be made that the area is unregistered. i2c_lock_bus relies on\nthe now unregistered area containing lock_ops to lock the bus. The end\nresult is a kernel panic on boot with the following backtrace;\n\n[ 14.971872] ioatdma 0000:09:00.2: enabling device (0100 -> 0102)\n[ 14.971873] BUG: kernel NULL pointer dereference, address: 0000000000000000\n[ 14.971880] #PF: supervisor read access in kernel mode\n[ 14.971884] #PF: error_code(0x0000) - not-present page\n[ 14.971887] PGD 0 P4D 0\n[ 14.971894] Oops: 0000 [#1] PREEMPT SMP PTI\n[ 14.971900] CPU: 5 PID: 956 Comm: systemd-udevd Not tainted 5.14.0-611.5.1.el9_7.x86_64 #1\n[ 14.971905] Hardware name: XXXXXXXXXXXXXXXXXXXXXXX BIOS 1.20.10.SV91 01/30/2023\n[ 14.971908] RIP: 0010:i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.971929] Code: 00 00 49 8b 40 20 41 57 41 56 4d 8b b8 30 04 00 00 49 89 ce 41 55 41 89 d5 41 54 49 89 f4 be 02 00 00 00 55 4c 89 c5 53 89 fb <48> 8b 00 4c 89 c7 e8 18 61 54 e9 80 bd 80 04 00 00 00 75 09 4c 3b\n[ 14.971933] RSP: 0018:ffffbaa841483838 EFLAGS: 00010282\n[ 14.971938] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff9685e01ba568\n[ 14.971941] RDX: 0000000000000008 RSI: 0000000000000002 RDI: 0000000000000000\n[ 14.971944] RBP: ffff9685ca22f028 R08: ffff9685ca22f028 R09: ffff9685ca22f028\n[ 14.971948] R10: 000000000000000b R11: 0000000000000580 R12: 0000000000000580\n[ 14.971951] R13: 0000000000000008 R14: ffff9685e01ba568 R15: ffff9685c222f000\n[ 14.971954] FS: 00007f8287c0ab40(0000) GS:ffff96a47f940000(0000) knlGS:0000000000000000\n[ 14.971959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 14.971963] CR2: 0000000000000000 CR3: 0000000168090001 CR4: 00000000003706f0\n[ 14.971966] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 14.971968] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n[ 14.971972] Call Trace:\n[ 14.971977] <TASK>\n[ 14.971981] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.971994] ? show_trace_log_lvl+0x1c4/0x2df\n[ 14.972003] ? acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972014] ? __die_body.cold+0x8/0xd\n[ 14.972021] ? page_fault_oops+0x132/0x170\n[ 14.972028] ? exc_page_fault+0x61/0x150\n[ 14.972036] ? asm_exc_page_fault+0x22/0x30\n[ 14.972045] ? i801_acpi_io_handler+0x2d/0xb0 [i2c_i801]\n[ 14.972061] acpi_ev_address_space_dispatch+0x16e/0x3c0\n[ 14.972069] ? __pfx_i801_acpi_io_handler+0x10/0x10 [i2c_i801]\n[ 14.972085] acpi_ex_access_region+0x5b/0xd0\n[ 14.972093] acpi_ex_field_datum_io+0x73/0x2e0\n[ 14.972100] acpi_ex_read_data_from_field+0x8e/0x230\n[ 14.972106] acpi_ex_resolve_node_to_value+0x23d/0x310\n[ 14.972114] acpi_ds_evaluate_name_path+0xad/0x110\n[ 14.972121] acpi_ds_exec_end_op+0x321/0x510\n[ 14.972127] acpi_ps_parse_loop+0xf7/0x680\n[ 14.972136] acpi_ps_parse_aml+0x17a/0x3d0\n[ 14.972143] acpi_ps_execute_method+0x137/0x270\n[ 14.972150] acpi_ns_evaluate+0x1f4/0x2e0\n[ 14.972158] acpi_evaluate_object+0x134/0x2f0\n[ 14.972164] acpi_evaluate_integer+0x50/0xe0\n[ 14.972173] ? vsnprintf+0x24b/0x570\n[ 14.972181] acpi_ac_get_state.part.0+0x23/0x70\n[ 14.972189] get_ac_property+0x4e/0x60\n[ 14.972195] power_supply_show_property+0x90/0x1f0\n[ 14.972205] add_prop_uevent+0x29/0x90\n[ 14.972213] power_supply_uevent+0x109/0x1d0\n[ 14.972222] dev_uevent+0x10e/0x2f0\n[ 14.972228] uevent_show+0x8e/0x100\n[ 14.972236] dev_attr_show+0x19\n---truncated---"}], "id": "CVE-2026-23369", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:36.347", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1c72e7b0b442ce21a1348d9b8237cfddb67048eb"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9507f9953a2a5647eb42668d0c243fdbd7e72954"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c726273044a5a8308a889d19d6884135c0f3321d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cfc69c2e6c699c96949f7b0455195b0bfb7dc715"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: i2c: i801: Revert \"i2c: i801: replace acpi_lock with I2C bus lock\"", "id": "2451235", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451235"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-367", "details": ["A flaw was found in the Linux kernel's i2c i801 driver. Under rare circumstances, multiple udev threads can concurrently access the i801_acpi_io_handler during system boot. This can lead to a null pointer dereference when the i2c_lock_bus attempts to use an unregistered memory area. A local attacker could potentially exploit this to cause a kernel panic, resulting in a Denial of Service (DoS)."], "name": "CVE-2026-23369", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23369\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23369\nhttps://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23369-b6c6@gregkh/T"], "statement": "This flaw affects systems with Intel i801 SMBus controllers during boot. The race between concurrent udev threads accessing i801_acpi_io_handler can cause a NULL pointer dereference when the ACPI region is deregistered while still being accessed. This is a boot-time race condition, not exploitable post-boot.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T13:50:25.309445+00:00", "value": {"mitigation_remediation": ["Apply the kernel patch that reverts commit f707d6b9, restoring the original ACPI lock mechanism for the i801 driver.", "Upgrade to a kernel version that includes the revert; most recent releases contain the fix.", "If a kernel upgrade is not immediately possible, limit udev activity during boot to a single thread or enforce a locked boot sequence to reduce the chance of the race condition.", "Check your distribution\u2019s security advisories or kernel changelogs for confirmation that the revert has been applied."], "summary": {"action": "Patch kernel", "impact": "Kernel panic causing denial of service"}, "threat_synthesis": {"affected_systems": "The vulnerability resides in the i801 driver code of the Linux kernel. Any kernel build that contains the problematic commit f707d6b9 and has not applied the revert is affected. Because the bug is in core kernel logic, all distributions shipping such a kernel, regardless of hardware, may be impacted. The advisory does not list specific kernel versions, so users must verify whether their current kernel includes the revert or upgrade to a newer release that does.", "description_and_impact": "A race condition in the Linux kernel\u2019s i801 I\u00b2C driver allows concurrent udev threads to tamper with the ACPI I/O region registration during boot, triggering a NULL pointer dereference in i801_acpi_io_handler. The result is a kernel panic that renders the system unbootable. This flaw involves a data\u2011race (CWE\u2011362) leading to a null pointer dereference (CWE\u2011476).", "risk_and_exploitability": "No CVSS or EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, indicating limited public exploitation data. Based on the description, it is inferred that the attack vector is local and requires the attacker to influence udev scheduling or trigger simultaneous ACPI accesses during boot. The exploitation leads to a denial of service by halting the system at boot time, rather than privilege escalation or data exfiltration. The overall risk is operational, affecting availability of affected machines. The race condition conditions are described as rare, which may reduce the likelihood of successful exploitation."}}}}, "created": "2026-03-25T21:31:46.756288+00:00", "updated": "2026-03-25T21:31:46.756315+00:00", "vendors": []}