CVE-2026-23253
Published: 18 March 2026
Summary
CVE-2026-23253 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23253 is a vulnerability in the Linux kernel's media subsystem, specifically the dvb-core component handling Digital Video Broadcasting (DVB) devices. The issue arises in the dvb_dvr_open() function, which incorrectly calls dvb_ringbuffer_init() when a new reader opens a DVR device. This reinitializes the shared waitqueue head via init_waitqueue_head(), emptying the list and orphaning existing entries from io_uring poll or epoll operations. These orphaned entries retain stale prev/next pointers, potentially leading to memory corruption or other undefined behavior. The vulnerability affects systems with DVB support enabled in the kernel.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored by CVSS 3.1 at 7.8. Exploitation involves reopening a DVR device in a scenario where other processes are using io_uring poll or epoll on the shared dvbdev->dvr_buffer.queue waitqueue, triggering the faulty reinitialization and disrupting waitqueue integrity.
Kernel stable patch commits referenced in the advisory resolve the issue by replacing the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignments to the buffer data pointer, size, and read/write positions, followed by dvb_ringbuffer_reset(). This approach properly resets pread, pwrite, and error states with correct memory ordering while preserving the waitqueue and spinlock, which are initialized once in dvb_dmxdev_init(). Affected users should apply these upstream stable kernel patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12860
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to…
more
empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel memory corruption in dvb_dvr_open() directly enables privilege escalation via waitqueue manipulation and io_uring/epoll interactions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through applying upstream kernel stable patches directly resolves the improper waitqueue reinitialization in dvb_dvr_open() that orphans epoll/io_uring entries.
Restricting kernel to least functionality by disabling unnecessary DVB support prevents exposure to the DVR device vulnerability on systems without DVB requirements.
Vulnerability scanning identifies the Linux kernel flaw in dvb-core, enabling prioritization of remediation for affected DVB-enabled systems.