CVE-2026-23424 - Vulnerability Details

- accel/amdxdna: Validate command buffer payload count

Description

In the Linux kernel, the following vulnerability has been resolved:

accel/amdxdna: Validate command buffer payload count

The count field in the command header is used to determine the valid
payload size. Verify that the valid payload does not exceed the remaining
buffer space.

Published: 2026-04-03

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel contains a flaw in the AMD XDNA acceleration module where the command header field that counts payload items is not bounded against the remaining buffer size. This omission can cause an out-of-bounds write that corrupts adjacent kernel memory. An attacker who can supply malicious commands to the driver could overwrite critical data structures, potentially leading to privilege escalation or system instability. The type of weakness is a classic buffer overflow (CWE-787). The likely attack vector is an attacker with the ability to send crafted commands to the AMD XDNA driver; this is inferred from the description of the vulnerable code path.

Affected Systems

All Linux kernel builds that compile the AMD XDNA acceleration module are affected. The CPE list indicates all Linux kernels, including kernel 6.14 and the 7.0 release candidates rc1 through rc7. Any kernel that contains the vulnerable code before the fix remains at risk.

Risk and Exploitability

The CVSS base score of 7.1 indicates high severity. The EPSS score is less than 1%, and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low probability of large-scale exploitation. Nevertheless, because an attacker could write arbitrary kernel memory if they control command payloads, the potential impact is severe. The vulnerability can be leveraged for privilege escalation if an attacker can interact with the driver; no public exploit is available, but the risk remains theoretical.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`aac243092b707bb3018e951d470cc1a9bcbaba6c`	affected	< 3464e751755172ddbb849c1bd92f5f59e95c59a1
`aac243092b707bb3018e951d470cc1a9bcbaba6c`	affected	< 3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2
`aac243092b707bb3018e951d470cc1a9bcbaba6c`	affected	< 901ec3470994006bc8dd02399e16b675566c3416

Linux

affected

Version	Status	Constraints
`6.14`	affected	—
`0`	unaffected	< 6.14
`6.18.17`	unaffected	≤ 6.18.*
`6.19.7`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.14:-::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc6::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[aac243092b707bb3018e951d470cc1a9bcbaba6c,3464e751755172ddbb849c1bd92f5f59e95c59a1)`	affected	code_commit	—
`[aac243092b707bb3018e951d470cc1a9bcbaba6c,3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2)`	affected	code_commit	—
`[aac243092b707bb3018e951d470cc1a9bcbaba6c,901ec3470994006bc8dd02399e16b675566c3416)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.14`	affected	generic	—
`[0,6.14)`	unaffected	generic	—
`[6.18.17,6.19.0)`	unaffected	semver	—
`[6.19.7,6.20.0)`	unaffected	semver	—
`[7.0-rc2,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel release or vendor patch that contains the fix for CVE-2026-23424
If an immediate kernel upgrade is not possible, disable AMD XDNA acceleration by unloading the module or otherwise restricting access to the device
Monitor kernel logs and system stability for signs of anomalous memory corruption or driver failures, and apply security updates as soon as they become available

Generated by OpenCVE AI on April 28, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/3464e751755172ddbb849c1bd92f5f59e95c59a1
https://git.kernel.org/stable/c/3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2
https://git.kernel.org/stable/c/901ec3470994006bc8dd02399e16b675566c3416
https://lore.kernel.org/linux-cve-announce/2026040305-CVE-2026-23424-7b21@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23424
https://www.cve.org/CVERecord?id=CVE-2026-23424

History

Mon, 27 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H'}`

Thu, 23 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:linux:linux_kernel:6.14:-:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc6:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc7::::::
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-119

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
References		https://lore.kernel.org/linux-cve-announce/2026040305-CVE-2026-23424-7b21@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23424 https://www.cve.org/CVERecord?id=CVE-2026-23424

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Fri, 03 Apr 2026 14:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Validate command buffer payload count The count field in the command header is used to determine the valid payload size. Verify that the valid payload does not exceed the remaining buffer space.
Title		accel/amdxdna: Validate command buffer payload count
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3464e751755172ddbb849c1bd92f5f59e95c59a1 https://git.kernel.org/stable/c/3ed2ae6b3fe869f99b75afd02045ba5c0c0773e2 https://git.kernel.org/stable/c/901ec3470994006bc8dd02399e16b675566c3416

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T13:24:32.622Z

Updated: 2026-04-27T14:02:16.224Z

Reserved: 2026-01-13T15:37:46.015Z

Link: CVE-2026-23424

Vulnrichment

No data.

NVD

Status : Modified

Published: 2026-04-03T14:16:28.623

Modified: 2026-04-27T14:16:31.757

Link: CVE-2026-23424

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23424 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T22:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object