CVE-2026-23288
Published: 25 March 2026
Summary
CVE-2026-23288 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-23288 is a memory corruption vulnerability in the Linux kernel's accel/amdxdna driver, which handles command slots for AMD XDNA accelerators. The issue arises when the remaining space in a command slot is smaller than the size of the command header, but a memset() operation clears the header before validating the available slot space. This leads to an out-of-bounds write, potentially corrupting adjacent memory.
A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables high-impact confidentiality, integrity, and availability violations, such as arbitrary code execution, privilege escalation, or system denial of service through memory corruption.
The provided patch commits on git.kernel.org address the issue by relocating the memset() call to after the size validation check, ensuring the operation only occurs when sufficient slot space is confirmed. The fixes are available at https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c and https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-15216
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: accel/amdxdna: Fix out-of-bounds memset in command slot handling The remaining space in a command slot may be smaller than the size of the command header. Clearing the command header with…
more
memset() before verifying the available slot space can result in an out-of-bounds write and memory corruption. Fix this by moving the memset() call after the size validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local memory corruption in kernel driver directly enables privilege escalation via out-of-bounds write leading to arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through kernel patching directly eliminates the out-of-bounds memset vulnerability in the amdxdna driver.
Memory protection mechanisms such as KASLR and SMEP prevent exploitation of memory corruption via out-of-bounds writes in kernel drivers.
Validating command slot inputs, including size checks before memory operations, addresses the root cause of insufficient space validation leading to corruption.