Description
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data

set_new_password() hex dumps the entire buffer, which contains plaintext
password data, including current and new passwords. Remove the hex dump
to avoid leaking credentials.
Published: 2026-03-25
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure
Action: Apply Patch
AI Analysis

Impact

In the Linux kernel, a flaw in the Dell WMI Sysman driver causes the set_new_password() routine to hex‑dump the entire password buffer, exposing plaintext current and new passwords. This demonstrates an insecure handling of sensitive credential data (CWE‑256) that could allow an attacker to retrieve user passwords through the kernel's debug output.

Affected Systems

The vulnerability affects the Linux kernel across all platforms where the Dell WMI Sysman driver is compiled. No specific kernel releases are enumerated, so it applies broadly to any install of the affected driver.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity, and the EPSS score of less than 1% suggests the likelihood of exploitation is low. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require local access to the system with sufficient privileges to trigger the set_new_password() routine, likely through a WMI interface on Dell hardware. The attack vector is inferred as local privilege escalation rather than remote exploitation.

Generated by OpenCVE AI on March 26, 2026 at 14:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that removes the hex dump in set_new_password().
  • Verify that the updated kernel contains the patch by checking the commit references or the kernel version string.

Generated by OpenCVE AI on March 26, 2026 at 14:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
References

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Wed, 25 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data set_new_password() hex dumps the entire buffer, which contains plaintext password data, including current and new passwords. Remove the hex dump to avoid leaking credentials.
Title platform/x86: dell-wmi-sysman: Don't hex dump plaintext password data
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-04-18T08:58:17.507Z

Reserved: 2026-01-13T15:37:46.003Z

Link: CVE-2026-23370

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T11:16:36.527

Modified: 2026-04-18T09:16:21.970

Link: CVE-2026-23370

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-25T00:00:00Z

Links: CVE-2026-23370 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:49:09Z

Weaknesses