CVE-2026-23433 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

arm_mpam: Fix null pointer dereference when restoring bandwidth counters

When an MSC supporting memory bandwidth monitoring is brought offline and
then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to
restore the configuration of the bandwidth counters. It doesn't care about
the value read, mbwu_arg.val, and doesn't set it leading to a null pointer
dereference when __ris_msmon_read() adds to it. This results in a kernel
oops with a call trace such as:

Call trace:
__ris_msmon_read+0x19c/0x64c (P)
mpam_restore_mbwu_state+0xa0/0xe8
smp_call_on_cpu_callback+0x1c/0x38
process_one_work+0x154/0x4b4
worker_thread+0x188/0x310
kthread+0x11c/0x130
ret_from_fork+0x10/0x20

Provide a local variable for val to avoid __ris_msmon_read() dereferencing
a null pointer when adding to val.

Published: 2026-04-03

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference occurs in the Linux kernel when restoring memory bandwidth counter state on systems that support the ARM MPAM feature. The bug manifests as a kernel oops and a call trace referencing __ris_msmon_read and mpam_restore_mbwu_state. The failure results in a sudden interruption of kernel operations and, consequently, a denial of service to the affected system. Based on the description, it is inferred that the vulnerability requires local execution or privileged manipulation of kernel state; there is no evidence of a remote attack vector.

Affected Systems

The affected systems are Linux kernel installations that include support for ARM Multi‑Policy Adaptive Memory (MPAM). In particular, any kernel version that implements mpam_restore_mbwu_state and __ris_msmon_read without the local val variable patch is vulnerable. The specific kernel releases are not enumerated in the available data, so all unpatched ARM kernel builds should be considered at risk.

Risk and Exploitability

The CVSS score is not provided, but the impact is a kernel crash, which can be classified as high severity for availability. The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog, suggesting limited known exploitation. Attackers would need locality or elevated privileges to force the problematic state transition, making exploitation more difficult. Nevertheless, the risk remains significant for systems that rely on continuous operation, as an unpatched kernel could be forced into a crash through manipulation of memory bandwidth monitoring.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`41e8a14950e1732af51cfec8fa09f8ded02a5ca9`	affected	< ac3e12bc195786d3d44d730b5b2259fd36191848
`41e8a14950e1732af51cfec8fa09f8ded02a5ca9`	affected	< 4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415

Linux

affected

Version	Status	Constraints
`6.19`	affected	—
`0`	unaffected	< 6.19
`6.19.10`	unaffected	≤ 6.19.*
`7.0-rc5`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[41e8a14950e1732af51cfec8fa09f8ded02a5ca9,ac3e12bc195786d3d44d730b5b2259fd36191848)`	affected	code_commit	—
`[41e8a14950e1732af51cfec8fa09f8ded02a5ca9,4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.19`	affected	generic	—
`[0,6.19)`	unaffected	generic	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0-rc5,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify that the running kernel includes the patch that introduces a local variable for mbwu_arg.val during MPAM restore.

Generated by OpenCVE AI on April 3, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415
https://git.kernel.org/stable/c/ac3e12bc195786d3d44d730b5b2259fd36191848
https://lore.kernel.org/linux-cve-announce/2026040311-CVE-2026-23433-01be@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-23433
https://www.cve.org/CVERecord?id=CVE-2026-23433

History

Sat, 04 Apr 2026 01:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026040311-CVE-2026-23433-01be@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-23433 https://www.cve.org/CVERecord?id=CVE-2026-23433

Fri, 03 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Fix null pointer dereference when restoring bandwidth counters When an MSC supporting memory bandwidth monitoring is brought offline and then online, mpam_restore_mbwu_state() calls __ris_msmon_read() via ipi to restore the configuration of the bandwidth counters. It doesn't care about the value read, mbwu_arg.val, and doesn't set it leading to a null pointer dereference when __ris_msmon_read() adds to it. This results in a kernel oops with a call trace such as: Call trace: __ris_msmon_read+0x19c/0x64c (P) mpam_restore_mbwu_state+0xa0/0xe8 smp_call_on_cpu_callback+0x1c/0x38 process_one_work+0x154/0x4b4 worker_thread+0x188/0x310 kthread+0x11c/0x130 ret_from_fork+0x10/0x20 Provide a local variable for val to avoid __ris_msmon_read() dereferencing a null pointer when adding to val.
Title		arm_mpam: Fix null pointer dereference when restoring bandwidth counters
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415 https://git.kernel.org/stable/c/ac3e12bc195786d3d44d730b5b2259fd36191848

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-03T15:15:18.757Z

Updated: 2026-04-03T15:15:18.757Z

Reserved: 2026-01-13T15:37:46.016Z

Link: CVE-2026-23433

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-03T16:16:24.777

Modified: 2026-04-03T16:16:24.777

Link: CVE-2026-23433

Redhat

Severity :

Publid Date: 2026-04-03T00:00:00Z

Links: CVE-2026-23433 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-03T21:16:18Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object