{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23354", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.000Z", "datePublished": "2026-03-25T10:27:38.825Z", "dateUpdated": "2026-03-25T10:27:38.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:38.825Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Correct speculative safety in fred_extint()\n\narray_index_nospec() is no use if the result gets spilled to the stack, as\nit makes the believed safe-under-speculation value subject to memory\npredictions.\n\nFor all practical purposes, this means array_index_nospec() must be used in\nthe expression that accesses the array.\n\nAs the code currently stands, it's the wrong side of irqentry_enter(), and\n'index' is put into %ebp across the function call.\n\nRemove the index variable and reposition array_index_nospec(), so it's\ncalculated immediately before the array access."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/entry/entry_fred.c"], "versions": [{"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "e58f1a9b0677de24dcfee0b21393446ec92ff120", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "92caa5274b99cb6729177232a029ce0dfa6c5f7b", "status": "affected", "versionType": "git"}, {"version": "14619d912b658ecd9573fb88400d3830a29cadcb", "lessThan": "aa280a08e7d8fae58557acc345b36b3dc329d595", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/entry/entry_fred.c"], "versions": [{"version": "6.9", "status": "affected"}, {"version": "0", "lessThan": "6.9", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.9", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643"}, {"url": "https://git.kernel.org/stable/c/e58f1a9b0677de24dcfee0b21393446ec92ff120"}, {"url": "https://git.kernel.org/stable/c/92caa5274b99cb6729177232a029ce0dfa6c5f7b"}, {"url": "https://git.kernel.org/stable/c/aa280a08e7d8fae58557acc345b36b3dc329d595"}], "title": "x86/fred: Correct speculative safety in fred_extint()", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fred: Correct speculative safety in fred_extint()\n\narray_index_nospec() is no use if the result gets spilled to the stack, as\nit makes the believed safe-under-speculation value subject to memory\npredictions.\n\nFor all practical purposes, this means array_index_nospec() must be used in\nthe expression that accesses the array.\n\nAs the code currently stands, it's the wrong side of irqentry_enter(), and\n'index' is put into %ebp across the function call.\n\nRemove the index variable and reposition array_index_nospec(), so it's\ncalculated immediately before the array access."}], "id": "CVE-2026-23354", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:33.963", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/92caa5274b99cb6729177232a029ce0dfa6c5f7b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/aa280a08e7d8fae58557acc345b36b3dc329d595"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e58f1a9b0677de24dcfee0b21393446ec92ff120"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: x86/fred: Correct speculative safety in fred_extint()", "id": "2451232", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451232"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1037", "details": ["A flaw was found in the Linux kernel. This vulnerability affects the handling of speculative execution, a technique used by modern processors to improve performance. A protection mechanism intended to prevent information leakage can be bypassed when its result is temporarily stored in memory, making it vulnerable to memory prediction attacks. This could allow a local attacker to potentially gain access to sensitive information or circumvent security safeguards."], "name": "CVE-2026-23354", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23354\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23354\nhttps://lore.kernel.org/linux-cve-announce/2026032537-CVE-2026-23354-d9b2@gregkh/T"], "statement": "This flaw affects x86 systems using FRED (Flexible Return and Event Delivery) interrupt handling. The array_index_nospec() protection is ineffective when the sanitized value is spilled to stack before the array access, making it vulnerable to memory prediction attacks. FRED is a newer x86 feature not present on all systems, and exploiting this requires sophisticated speculative execution attacks.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[14619d912b658ecd9573fb88400d3830a29cadcb,3bc5887b0a2b06d2d9c22f1f4f8500490b3ae643)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[14619d912b658ecd9573fb88400d3830a29cadcb,e58f1a9b0677de24dcfee0b21393446ec92ff120)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[14619d912b658ecd9573fb88400d3830a29cadcb,92caa5274b99cb6729177232a029ce0dfa6c5f7b)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[14619d912b658ecd9573fb88400d3830a29cadcb,aa280a08e7d8fae58557acc345b36b3dc329d595)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "6.9"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[0,6.9)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.77,6.13.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.17,6.19.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.7,7.0.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[7.0-rc2,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "analysis": {"en": {"generated_at": "2026-03-26T03:35:32.720505+00:00", "value": {"mitigation_remediation": ["Update the Linux kernel to a version containing the commit e58f1a9b0677de24dcfee0b21393446ec92ff120 or later, or apply the corresponding patch directly to the source code."], "summary": {"action": "Apply Patch", "impact": "Moderate Speculative\u2011Execution Vulnerability in Linux Kernel"}, "threat_synthesis": {"affected_systems": "All Linux kernel implementations are affected until the patch that moves and removes the faulty index variable is incorporated. The CNA lists Linux as the vendor, and no specific version range is supplied, implying that the flaw may exist in multiple kernel releases that have not yet applied the fix.", "description_and_impact": "The fault lies in the handling of speculative execution safety within the x86 Fred module. A misplacement of the array_index_nospec() call allows a speculative read to reference an array index that is not properly validated when the value spills to the stack. This flaw could expose kernel memory contents or corrupt data during interrupt entry handling, potentially impacting confidentiality or integrity of system state. The vulnerability is linked to known weaknesses such as improper bounds checking and speculative execution safety issues.", "risk_and_exploitability": "The CVSS score is 5.5, indicating moderate severity. The EPSS score is below 1%, suggesting a low probability of widespread exploitation. The flaw is not catalogued in CISA\u2019s KEV list. Based on the description, the most probable attack vector would be a local privilege escalation attempt that leverages speculative execution in the kernel, but exact exploitation steps are not detailed in the available materials."}}}}, "created": "2026-03-25T21:32:01.272696+00:00", "updated": "2026-03-26T12:16:03.582100+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}