Cyber Posture

CVE-2026-23187

High

Published: 14 February 2026

Published
14 February 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0002 4.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23187 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 4.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Out-of-bounds kernel read enables local data disclosure from system memory and system/application exploitation for DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().

Deeper analysisAI

CVE-2026-23187 is a vulnerability in the Linux kernel's pmdomain imx8m-blk-ctrl driver that results in an out-of-range access to the bc->domains array during the imx8m_blk_ctrl_remove() function. This issue, classified under CWE-125 (Out-of-bounds Read), affects systems running vulnerable versions of the Linux kernel that include this power domain controller for i.MX8M processors.

The vulnerability has a CVSS v3.1 base score of 7.1 (High), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H. A local attacker with low privileges can exploit it with low complexity and no user interaction, potentially leading to high-impact confidentiality loss through unauthorized data disclosure and high-impact availability disruption via denial of service.

Mitigation is provided through upstream patches in the Linux kernel stable tree, as detailed in the following commits: https://git.kernel.org/stable/c/071159ff5c0bf2e5efff79501e23faf3775cbcd1, https://git.kernel.org/stable/c/4390dcdabb5fca4647bf56a5a6b050bbdfa5760f, https://git.kernel.org/stable/c/6bd8b4a92a901fae1a422e6f914801063c345e8d, https://git.kernel.org/stable/c/7842b5dfcac888ece025a2321257d74b2264b099, and https://git.kernel.org/stable/c/eb54ce033b344b531b374496e68a2554b2b56b5a. Security practitioners should update to kernels incorporating these fixes.

Details

CWE(s)
CWE-125

Affected Products

linux
linux kernel
6.19 · 5.16 — 6.1.163 · 6.2 — 6.6.124 · 6.7 — 6.12.70

CVEs Like This One

CVE-2025-71231Same product: Linux Linux Kernel
CVE-2024-58015Same product: Linux Linux Kernel
CVE-2024-52332Same product: Linux Linux Kernel
CVE-2025-71093Same product: Linux Linux Kernel
CVE-2026-23397Same product: Linux Linux Kernel
CVE-2025-21742Same product: Linux Linux Kernel
CVE-2024-58007Same product: Linux Linux Kernel
CVE-2025-71133Same product: Linux Linux Kernel
CVE-2025-21789Same product: Linux Linux Kernel
CVE-2026-23315Same product: Linux Linux Kernel

References