CVE-2026-23221
Published: 18 February 2026
Summary
CVE-2026-23221 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-23221 by requiring timely patching of the Linux kernel to fix the use-after-free race condition in the fsl-mc driver_override_show function.
Enables proactive identification of the kernel use-after-free vulnerability through vulnerability scanning and monitoring, allowing for prompt remediation.
Provides defense-in-depth memory protection mechanisms that mitigate exploitation of the use-after-free flaw in the fsl-mc driver even prior to patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel UAF race condition directly enables privilege escalation via memory corruption.
NVD Description
In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the…
more
device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation.
Deeper analysisAI
CVE-2026-23221 is a use-after-free vulnerability (CWE-416) in the Linux kernel's fsl-mc bus driver, specifically within the driver_override_show() function. The flaw occurs because this function reads the driver_override string without acquiring the device_lock, while the corresponding driver_override_store() function uses driver_set_override() to modify and free the string under the device_lock. This race condition enables a concurrent use-after-free when the store operation frees the string during a show operation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-18.
A local attacker with low privileges can exploit this vulnerability due to its local attack vector, low complexity, and lack of required user interaction. Exploitation involves triggering the race between the show and store operations on the driver_override sysfs attribute, potentially leading to high-impact consequences including unauthorized data access, modification, or denial of service through memory corruption.
Mitigation requires applying upstream kernel patches that fix the issue by holding the device_lock around the read operation in driver_override_show(). Relevant stable kernel commits include https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431, https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0, https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528, https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90, and https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637. Security practitioners should update affected Linux kernels accordingly.
Details
- CWE(s)