PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23253 Linux CVE debrief

A use-after-free vulnerability exists in the Linux kernel's DVB (Digital Video Broadcasting) core subsystem, specifically in the DVR (Digital Video Recorder) device open path. When a new reader opens the DVR device via `dvb_dvr_open()`, the function incorrectly calls `dvb_ringbuffer_init()`, which reinitializes a shared waitqueue list head to empty. This waitqueue is shared across all open instances of the same DVR device. The reinitialization orphans existing waitqueue entries from `io_uring` poll or `epoll`, leaving them with stale `prev`/`next` pointers while the list head is reset to `{self, self}`. This can lead to memory corruption, privilege escalation, or denial of service when the stale waitqueue entries are subsequently accessed. The vulnerability affects Linux kernels from version 2.6.17 through multiple stable branches. The fix replaces the `dvb_ringbuffer_init()` call with direct assignment of buffer data/size and a call to `dvb_ringbuffer_reset()`, which properly resets read/write positions without touching the waitqueue or spinlock.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-18
Original CVE updated
2026-06-01
Advisory published
2026-03-18
Advisory updated
2026-06-01

Who should care

Linux system administrators, kernel maintainers, embedded device manufacturers using DVB subsystems, security teams managing Linux workstations and servers with DVB hardware, and organizations running containerized or multi-tenant environments where untrusted users may have access to DVB device nodes

Technical summary

The vulnerability is a use-after-free condition in `drivers/media/dvb-core/dmxdev.c`. The `dvb_dvr_open()` function calls `dvb_ringbuffer_init()` on each new open of a DVR device. This function calls `init_waitqueue_head()`, which resets the waitqueue list head. Because `dmxdev->dvr_buffer.queue` is shared across all opens of the same DVR device, any existing waitqueue entries (from `io_uring` poll, `epoll`, or blocking reads) become orphaned with dangling pointers. The waitqueue and spinlock were already correctly initialized in `dvb_dmxdev_init()`. The fix replaces `dvb_ringbuffer_init()` with direct buffer pointer assignment and `dvb_ringbuffer_reset()`, which resets `pread`, `pwrite`, and `error` with proper memory ordering without reinitializing the waitqueue or spinlock. Attack vector is local, requiring low privileges and no user interaction. Impact is high for confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

  • Apply the relevant stable kernel patch for your branch: 5.10.253 or later, 5.15.203 or later, 6.1.167 or later, 6.6.130 or later, 6.12.77 or later, 6.18.17 or later, 6.19.7 or later, or 7.0-rc1 with the fix included
  • Upgrade to a patched Linux kernel version that includes the fix for CVE-2026-23253
  • If immediate patching is not possible, restrict access to DVB DVR device nodes (/dev/dvb/adapter*/dvr*) to trusted users only, as local access is required
  • Monitor systems for unusual crashes or hangs in DVB-related processes, which may indicate exploitation attempts
  • Review custom or out-of-tree DVB drivers for similar patterns of shared waitqueue reinitialization

Evidence notes

The vulnerability was resolved in the Linux kernel media subsystem. The issue was introduced by incorrect reinitialization of a shared ringbuffer waitqueue in `dvb_dvr_open()`. The fix ensures that only buffer data pointers and positions are reset on reopen, preserving the integrity of the shared waitqueue and spinlock that were properly initialized once in `dvb_dmxdev_init()`. Multiple stable kernel branches received patches.

Official resources

2026-03-18