CVE-2026-23236
Published: 04 March 2026
Summary
CVE-2026-23236 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2026-23236 affects the Linux kernel's fbdev smscufx driver. The vulnerability stems from the UFX_IOCTL_REPORT_DAMAGE ioctl, which fails to properly copy data from userspace to kernelspace and instead directly references the provided user memory. This improper handling can cause issues when invalid data is passed from userspace. The CVE has a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H) and is associated with CWE information not available from NVD.
A local attacker with low privileges required can exploit this vulnerability through low-complexity attacks that require no user interaction. Exploitation could lead to low confidentiality impact, high integrity impact, and high availability impact, potentially allowing memory corruption or denial of service due to mishandling of invalid user data.
Mitigation requires applying upstream Linux kernel patches that correctly copy the ioctl memory to kernelspace before kernel access. Fixes are available in the stable kernel tree via commits such as 061cfeb560aa3ddc174153dbe5be9d0b55eb7248, 0634e8d650993602fc5b389ff7ac525f6542e141, 120adae7b42faa641179270c067864544a50ab69, 1c008ad0f0d1c1523902b9cdb08e404129677bfc, and 52917e265aa5f848212f60fc50fc504d8ef12866, accessible at git.kernel.org/stable.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9408
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: fbdev: smscufx: properly copy ioctl memory to kernelspace The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from userspace to kernelspace, and instead directly references the memory, which can cause problems…
more
if invalid data is passed from userspace. Fix this all up by correctly copying the memory before accessing it within the kernel.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel ioctl vulnerability enabling memory corruption for privilege escalation from low-privileged user.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and safe copying of untrusted userspace data supplied to the UFX_IOCTL_REPORT_DAMAGE ioctl before kernel use.
Enforces isolation between user processes and kernel address space, blocking direct memory references that enable the reported corruption/DoS.
Applies memory-protection mechanisms that limit the integrity and availability impact when invalid user pointers are dereferenced inside the smscufx driver.