CVE-2026-23323
Published: 25 March 2026
Summary
CVE-2026-23323 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific bugs in the macsmc-hwmon driver's sensor population logic and float conversion routines via kernel patches.
Implements runtime memory protection mechanisms such as bounds checking to prevent out-of-bounds writes from incorrect voltage sensor array assignments.
Mitigates flawed exponent logic and unmasked mantissa in float conversion by ensuring error handling does not compromise system integrity during hardware monitoring operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local kernel OOB write enables privilege escalation (T1068) and system crashes via exploitation (T1499.004).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines. Specifically: -…
more
The voltage sensor population loop used the wrong prefix ("volt-" instead of "voltage-") and incorrectly assigned sensors to the temperature sensor array (hwmon->temp.sensors) instead of the voltage sensor array (hwmon->volt.sensors). This would lead to out-of-bounds memory access or data corruption when both temperature and voltage sensors were present. - The float conversion in macsmc_hwmon_write_f32() had flawed exponent logic for values >= 2^24 and lacked masking for the mantissa, which could lead to incorrect values being written to the SMC. Fix these issues to ensure correct sensor registration and reliable manual fan control. Confirm that the reported overflow in FIELD_PREP is fixed by declaring macsmc_hwmon_write_f32() as __always_inline for a compile test.
Deeper analysisAI
CVE-2026-23323 is a vulnerability in the Linux kernel's macsmc-hwmon driver, which handles hardware monitoring for Apple Silicon systems via the System Management Controller (SMC). The issue stems from regressions in the driver's sensor population logic and float conversion routines. Specifically, the voltage sensor population loop incorrectly used the prefix "volt-" instead of "voltage-" and assigned sensors to the temperature array (hwmon->temp.sensors) rather than the voltage array (hwmon->volt.sensors), potentially causing out-of-bounds memory access or data corruption when both sensor types are present. Additionally, the macsmc_hwmon_write_f32() function had flawed exponent logic for values >= 2^24 and lacked mantissa masking, leading to incorrect values written to the SMC. This is classified as CWE-787 (Out-of-bounds Write) with a CVSS v3.1 score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction required (UI:N). Exploitation involves triggering the faulty sensor registration or float conversion during hardware monitoring operations, such as manual fan control, resulting in out-of-bounds writes, data corruption, or incorrect SMC communications. This achieves high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the local scope (AV:L/S:U), potentially enabling privilege escalation, system crashes, or manipulation of hardware sensors on affected Apple Silicon Linux systems.
Mitigation is provided through kernel patches in the stable repository. The fixes, detailed in commits 5dd69b864911ae3847365e8bafe7854e79fbeecb and 625ef35b70d3883fb9a41cd5a988e64dd3e447d6, correct the sensor prefix and array assignments, improve float conversion logic with proper masking and exponent handling, and address a FIELD_PREP overflow by declaring macsmc_hwmon_write_f32() as __always_inline. Security practitioners should update to a patched kernel version supporting the macsmc-hwmon driver on Apple Silicon hardware.
Details
- CWE(s)