Cyber Resilience

CVE-2026-23221

High

Published: 18 February 2026

Published
18 February 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23221 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23221 is a use-after-free vulnerability (CWE-416) in the Linux kernel's fsl-mc bus driver, specifically within the driver_override_show() function. The flaw occurs because this function reads the driver_override string without acquiring the device_lock, while the corresponding driver_override_store() function uses driver_set_override() to modify and free the string under the device_lock. This race condition enables a concurrent use-after-free when the store operation frees the string during a show operation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-02-18.

A local attacker with low privileges can exploit this vulnerability due to its local attack vector, low complexity, and lack of required user interaction. Exploitation involves triggering the race between the show and store operations on the driver_override sysfs attribute, potentially leading to high-impact consequences including unauthorized data access, modification, or denial of service through memory corruption.

Mitigation requires applying upstream kernel patches that fix the issue by holding the device_lock around the read operation in driver_override_show(). Relevant stable kernel commits include https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431, https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0, https://git.kernel.org/stable/c/a2ae33e1c6361e960a4d00f7cf75d880b54f9528, https://git.kernel.org/stable/c/b1983840287303e0dfb401b1b6cecc5ea7471e90, and https://git.kernel.org/stable/c/c424e72cfa67e7e1477035058a8a659f2c0ea637. Security practitioners should update affected Linux kernels accordingly.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix use-after-free in driver_override_show() The driver_override_show() function reads the driver_override string without holding the device_lock. However, driver_override_store() uses driver_set_override(), which modifies and frees the string while holding the…

more

device_lock. This can result in a concurrent use-after-free if the string is freed by the store function while being read by the show function. Fix this by holding the device_lock around the read operation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel UAF race condition directly enables privilege escalation via memory corruption.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-43019Same product: Linux Linux Kernel
CVE-2026-23158Same product: Linux Linux Kernel
CVE-2025-21893Same product: Linux Linux Kernel
CVE-2026-31446Same product: Linux Linux Kernel
CVE-2026-31650Same product: Linux Linux Kernel
CVE-2026-23001Same product: Linux Linux Kernel
CVE-2024-50051Same product: Linux Linux Kernel
CVE-2025-21759Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
5.10 — 5.15.201 · 5.16 — 6.1.164 · 6.2 — 6.6.127

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-23221 by requiring timely patching of the Linux kernel to fix the use-after-free race condition in the fsl-mc driver_override_show function.

detect

Enables proactive identification of the kernel use-after-free vulnerability through vulnerability scanning and monitoring, allowing for prompt remediation.

prevent

Provides defense-in-depth memory protection mechanisms that mitigate exploitation of the use-after-free flaw in the fsl-mc driver even prior to patching.

References