CVE-2026-23327
Published: 25 March 2026
Summary
CVE-2026-23327 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the missing payload size validation in the CXL mailbox code, directly addressed by applying the referenced kernel patches.
Mandates validation of user inputs such as ioctl payloads for size and format before dereferencing, preventing the out-of-bounds read triggered by undersized payloads in cxl_payload_from_user_allowed().
Implements memory safeguards like address space randomization and non-executable memory that mitigate information leakage and exploitation from the kernel slab-out-of-bounds read.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OOB read enables local kernel memory disclosure (credential access via exploitation) and kernel panic (DoS via system exploitation).
NVD Description
In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an…
more
undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG, which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer, triggering a KASAN splat: BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683 Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258 CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x650 mm/kasan/report.c:482 kasan_report+0xce/0x100 mm/kasan/report.c:595 memcmp+0x176/0x1d0 lib/string.c:683 uuid_equal include/linux/uuid.h:73 [inline] cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline] cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline] cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline] cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643 __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline] cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdaf331ba79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79 RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003 RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768 </TASK> Add 'in_size' parameter to cxl_payload_from_user_allowed() and validate the payload is large enough.
Deeper analysisAI
CVE-2026-23327 is an out-of-bounds read vulnerability in the Linux kernel's Compute Express Link (CXL) mailbox implementation, specifically in the cxl_payload_from_user_allowed() function within drivers/cxl/core/mbox.c. The function casts and dereferences an input payload without first verifying its size, allowing an undersized payload—such as a 1-byte input for the CXL_MBOX_OP_CLEAR_LOG operation, which expects a 16-byte UUID—to trigger an out-of-bounds read in uuid_equal(). This results in a KASAN-reported slab-out-of-bounds access, as demonstrated in the provided stack trace from a syzkaller test on kernel version 6.19.0.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N) by sending a raw CXL mailbox command via the cxl_memdev_ioctl() interface with an undersized payload. Successful exploitation leads to high confidentiality impact through unauthorized memory reads and high availability impact by potentially crashing the kernel, as indicated by the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) and CWE-125 classification.
The referenced kernel patches mitigate the issue by adding an 'in_size' parameter to cxl_payload_from_user_allowed() and validating that the payload is sufficiently large before accessing its contents. These fixes are available in the stable kernel commits at https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2 and https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1; affected systems should update to kernels incorporating these changes.
Details
- CWE(s)