{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23288", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.992Z", "datePublished": "2026-03-25T10:26:47.458Z", "dateUpdated": "2026-03-25T10:26:47.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:26:47.458Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "13ae1a6000f7d8b09478e3128e87d45e89c7282f", "lessThan": "cca770d710d5e03bc814af585cd6975eb6d74074", "status": "affected", "versionType": "git"}, {"version": "3d32eb7a5ecff92d83a5fd34c45c171c17d3d5d0", "lessThan": "1110a949675ebd56b3f0286e664ea543f745801c", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/amdxdna/aie2_message.c"], "versions": [{"version": "7.0-rc1", "status": "affected"}, {"version": "0", "lessThan": "7.0-rc1", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19.4", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0-rc1", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}, {"url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}], "title": "accel/amdxdna: Fix out-of-bounds memset in command slot handling", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/amdxdna: Fix out-of-bounds memset in command slot handling\n\nThe remaining space in a command slot may be smaller than the size of\nthe command header. Clearing the command header with memset() before\nverifying the available slot space can result in an out-of-bounds write\nand memory corruption.\n\nFix this by moving the memset() call after the size validation."}], "id": "CVE-2026-23288", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:23.767", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1110a949675ebd56b3f0286e664ea543f745801c"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/cca770d710d5e03bc814af585cd6975eb6d74074"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: accel/amdxdna: Fix out-of-bounds memset in command slot handling", "id": "2451274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451274"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's accel/amdxdna component. This vulnerability occurs when clearing a command header with `memset()` before verifying the available slot space, which can be smaller than the header size. This can lead to an out-of-bounds write and memory corruption. An attacker could potentially exploit this to cause a denial of service or other unpredictable system behavior."], "name": "CVE-2026-23288", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23288\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23288\nhttps://lore.kernel.org/linux-cve-announce/2026032524-CVE-2026-23288-1d11@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[13ae1a6000f7d8b09478e3128e87d45e89c7282f,cca770d710d5e03bc814af585cd6975eb6d74074)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[3d32eb7a5ecff92d83a5fd34c45c171c17d3d5d0,1110a949675ebd56b3f0286e664ea543f745801c)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "7.0-rc1"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,7.0-rc1)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T04:37:40.092021+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version that incorporates the accel/amdxdna out\u2011of\u2011bounds memset fix", "Verify that the running kernel version is not affected by reviewing the release notes or kernel source for the patch reference"], "summary": {"action": "Apply Patch", "impact": "Arbitrary kernel memory corruption"}, "threat_synthesis": {"affected_systems": "Linux kernels that load the accel/amdxdna acceleration driver are affected. No specific kernel version numbers are mentioned, so any kernel containing this driver before the patch is potentially vulnerable whenever the driver is enabled.", "description_and_impact": "The Linux kernel\u2019s accel/amdxdna driver contains an out\u2011of\u2011bounds call to memset that clears a command header before verifying that the remaining space in a command slot is sufficient. This flaw allows the memset to write beyond the intended buffer boundary, resulting in kernel memory corruption and the buffer overflow is classified as CWE\u2011131.", "risk_and_exploitability": "EPSS is below 1\u202f% and the flaw is not listed in the CISA KEV catalog, indicating a low probability of exploitation. Exploitation appears to require local access to the driver\u2019s command slot handling, so attackers would need the ability to interact with or control the driver. Because the description does not specify the exact impact of the memory corruption, the real risk depends on whether an attacker can manipulate the driver; in environments where the driver is disabled or the system is not exposed to such interaction, the risk is minimal."}}}}, "created": "2026-03-25T21:15:42.288140+00:00", "updated": "2026-03-26T12:17:29.919888+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}