{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23366", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:46.002Z", "datePublished": "2026-03-25T10:27:48.311Z", "dateUpdated": "2026-03-25T10:27:48.311Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:48.311Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Do not destroy NULL modes\n\n'modes' in drm_client_modeset_probe may fail to kcalloc. If this\noccurs, we jump to 'out', calling modes_destroy on it, which\ndereferences it. This may result in a NULL pointer dereference in the\nerror case. Prevent that."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_client_modeset.c"], "versions": [{"version": "3039cc0c0653c6e15130a8719c3237329a954670", "lessThan": "4e3ca5f82346cc23c0a71f1ceb006115ff6b0745", "status": "affected", "versionType": "git"}, {"version": "3039cc0c0653c6e15130a8719c3237329a954670", "lessThan": "9aa3e33f0c7f2679ac599a09e3102c8f716a6321", "status": "affected", "versionType": "git"}, {"version": "3039cc0c0653c6e15130a8719c3237329a954670", "lessThan": "c601fd5414315fc515f746b499110e46272e7243", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/gpu/drm/drm_client_modeset.c"], "versions": [{"version": "6.16", "status": "affected"}, {"version": "0", "lessThan": "6.16", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc2", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.16", "versionEndExcluding": "7.0-rc2"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/4e3ca5f82346cc23c0a71f1ceb006115ff6b0745"}, {"url": "https://git.kernel.org/stable/c/9aa3e33f0c7f2679ac599a09e3102c8f716a6321"}, {"url": "https://git.kernel.org/stable/c/c601fd5414315fc515f746b499110e46272e7243"}], "title": "drm/client: Do not destroy NULL modes", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/client: Do not destroy NULL modes\n\n'modes' in drm_client_modeset_probe may fail to kcalloc. If this\noccurs, we jump to 'out', calling modes_destroy on it, which\ndereferences it. This may result in a NULL pointer dereference in the\nerror case. Prevent that."}], "id": "CVE-2026-23366", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:35.873", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/4e3ca5f82346cc23c0a71f1ceb006115ff6b0745"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/9aa3e33f0c7f2679ac599a09e3102c8f716a6321"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c601fd5414315fc515f746b499110e46272e7243"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: drm/client: Do not destroy NULL modes", "id": "2451257", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451257"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-824", "details": ["A flaw was found in the Linux kernel's Direct Rendering Manager (DRM) client component. This vulnerability occurs when the system attempts to destroy an uninitialized memory pointer, specifically the 'modes' variable within the `drm_client_modeset_probe` function, after a memory allocation failure. This can lead to a NULL pointer dereference, potentially causing system instability or a denial of service."], "name": "CVE-2026-23366", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23366\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23366\nhttps://lore.kernel.org/linux-cve-announce/2026032540-CVE-2026-23366-a7c4@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:24:51.808695+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel update that includes the drm_client_modeset_probe null dereference fix. The patch can be verified by checking for the updated commit identifiers in the kernel source or by ensuring the distribution\u2019s kernel package is at least the version that contains the fix.", "If a timely kernel update is unavailable, mitigate by disabling the DRM subsystem or the specific driver that performs mode probing until a patch is applied, reducing the exposure window. This can often be done by blacklisting the kernel module or disabling hardware acceleration features that rely on DRM.", "Verify that the update has been successfully deployed by checking the kernel version in /proc/version or using pkginfo/dpkg-rpm to confirm the current kernel release against the vendor\u2019s patched version."], "summary": {"action": "Immediate patch", "impact": "Kernel crash leading to denial of service"}, "threat_synthesis": {"affected_systems": "The fault is present in the Linux kernel across all distributions that include the affected drm_client_modeset_probe implementation. Exact kernel versions are not enumerated in the entry, so any kernel that has not yet been updated with the commit that adds a NULL check is potentially vulnerable. The references point to specific kernel commits that introduced the fix, indicating the vulnerability is tied to the kernel source tree rather than a particular vendor build.", "description_and_impact": "The Linux kernel\u2019s DRM client subsystem can fail to allocate memory for mode information during drm_client_modeset_probe. When this allocation fails, the code mistakenly calls modes_destroy on a null pointer, which dereferences it. This results in a null pointer dereference that crashes the kernel. The vulnerability is a classic example of a null pointer dereference flaw (CWE\u2011476).", "risk_and_exploitability": "The flaw does not have a CVSS score listed, and EPSS data is unavailable, so a precise quantitative risk assessment is not possible from the available information. However, the bug is a kernel\u2011level NULL pointer dereference, which can cause a system crash. Based on the description, it is inferred that the attack requires interaction with the DRM subsystem, implying that an attacker would need local or kernel\u2011level privileges to trigger the failure condition. The vulnerability is not currently listed in CISA\u2019s KEV catalog, suggesting no known public exploits at this time."}}}}, "created": "2026-03-25T21:31:49.722339+00:00", "updated": "2026-03-25T21:31:49.722379+00:00", "vendors": []}