CVE-2026-23221

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431	Patch
https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0	Patch
https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528	Patch
https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90	Patch
https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637	Patch
https://git.kernel.org/stable/c/c71dfb7833db7af652ee8f65011f14c97c47405d	Patch
https://git.kernel.org/stable/c/dd8ba8c0c3f3916d4ee1e3a09da9cd5caff5d227	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

History

No history.

Information

Published : 2026-02-18 16:22

Updated : 2026-03-18 14:50

NVD link : CVE-2026-23221

Mitre link : CVE-2026-23221

CVE.ORG link : CVE-2026-23221

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

{"id": "CVE-2026-23221", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-18T16:22:31.820", "references": [{"url": "https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c71dfb7833db7af652ee8f65011f14c97c47405d", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dd8ba8c0c3f3916d4ee1e3a09da9cd5caff5d227", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: fsl-mc: fix use-after-free in driver_override_show()\n\nThe driver_override_show() function reads the driver_override string\nwithout holding the device_lock. However, driver_override_store() uses\ndriver_set_override(), which modifies and frees the string while holding\nthe device_lock.\n\nThis can result in a concurrent use-after-free if the string is freed\nby the store function while being read by the show function.\n\nFix this by holding the device_lock around the read operation."}, {"lang": "es", "value": "Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux:\n\nbus: fsl-mc: correcci\u00f3n de uso despu\u00e9s de liberaci\u00f3n en driver_override_show()\n\nLa funci\u00f3n driver_override_show() lee la cadena driver_override sin mantener el device_lock. Sin embargo, driver_override_store() utiliza driver_set_override(), que modifica y libera la cadena mientras mantiene el device_lock.\n\nEsto puede resultar en un uso despu\u00e9s de liberaci\u00f3n concurrente si la cadena es liberada por la funci\u00f3n store mientras es le\u00edda por la funci\u00f3n show.\n\nSolucionar esto manteniendo el device_lock alrededor de la operaci\u00f3n de lectura."}], "lastModified": "2026-03-18T14:50:04.377", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99A7FD63-65A5-4FBC-ADC3-8C52BBF74B23", "versionEndExcluding": "5.15.201", "versionStartIncluding": "5.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6892F74B-3F14-4500-9652-24A2ECB04144", "versionEndExcluding": "6.1.164", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A9F36A3-A685-48A0-84B4-6217052BD058", "versionEndExcluding": "6.6.127", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2968F55-D03F-42BE-A694-F0A37BC8CBE3", "versionEndExcluding": "6.12.74", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7099A9EC-3D54-4424-BF01-7224EF88C79C", "versionEndExcluding": "6.18.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EE543C0D-A06B-414F-A403-CB1E088F261E", "versionEndExcluding": "6.19.1", "versionStartIncluding": "6.19"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}