Cyber Resilience

CVE-2026-23253

HighUpdated

Published: 18 March 2026

Published
18 March 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23253 is a high-severity an unspecified weakness vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23253 is a vulnerability in the Linux kernel's media subsystem, specifically the dvb-core component handling Digital Video Broadcasting (DVB) devices. The issue arises in the dvb_dvr_open() function, which incorrectly calls dvb_ringbuffer_init() when a new reader opens a DVR device. This reinitializes the shared waitqueue head via init_waitqueue_head(), emptying the list and orphaning existing entries from io_uring poll or epoll operations. These orphaned entries retain stale prev/next pointers, potentially leading to memory corruption or other undefined behavior. The vulnerability affects systems with DVB support enabled in the kernel.

A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction required (UI:N), achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored by CVSS 3.1 at 7.8. Exploitation involves reopening a DVR device in a scenario where other processes are using io_uring poll or epoll on the shared dvbdev->dvr_buffer.queue waitqueue, triggering the faulty reinitialization and disrupting waitqueue integrity.

Kernel stable patch commits referenced in the advisory resolve the issue by replacing the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignments to the buffer data pointer, size, and read/write positions, followed by dvb_ringbuffer_reset(). This approach properly resets pread, pwrite, and error states with correct memory ordering while preserving the waitqueue and spinlock, which are initialized once in dvb_dmxdev_init(). Affected users should apply these upstream stable kernel patches.

EU & UK References

Vulnerability details

In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: fix wrong reinitialization of ringbuffer on reopen dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which reinitializes the waitqueue list head to…

more

empty. Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the same DVR device share it), this orphans any existing waitqueue entries from io_uring poll or epoll, leaving them with stale prev/next pointers while the list head is reset to {self, self}. The waitqueue and spinlock in dvr_buffer are already properly initialized once in dvb_dmxdev_init(). The open path only needs to reset the buffer data pointer, size, and read/write positions. Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct assignment of data/size and a call to dvb_ringbuffer_reset(), which properly resets pread, pwrite, and error with correct memory ordering without touching the waitqueue or spinlock.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local kernel memory corruption in dvb_dvr_open() directly enables privilege escalation via waitqueue manipulation and io_uring/epoll interactions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71152Same product: Linux Linux Kernel
CVE-2026-23111Same product: Linux Linux Kernel
CVE-2026-31530Same product: Linux Linux Kernel
CVE-2026-23387Same product: Linux Linux Kernel
CVE-2025-21856Same product: Linux Linux Kernel
CVE-2025-21727Same product: Linux Linux Kernel
CVE-2026-23275Same product: Linux Linux Kernel
CVE-2026-31401Same product: Linux Linux Kernel
CVE-2024-57980Same product: Linux Linux Kernel
CVE-2026-23437Same product: Linux Linux Kernel

Affected Assets

linux
linux kernel
7.0 · 2.6.17 — 5.10.253 · 5.11 — 5.15.203 · 5.16 — 6.1.167

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation through applying upstream kernel stable patches directly resolves the improper waitqueue reinitialization in dvb_dvr_open() that orphans epoll/io_uring entries.

prevent

Restricting kernel to least functionality by disabling unnecessary DVB support prevents exposure to the DVR device vulnerability on systems without DVB requirements.

detect

Vulnerability scanning identifies the Linux kernel flaw in dvb-core, enabling prioritization of remediation for affected DVB-enabled systems.

References