CVE-2026-23266 Linux CVE debrief

Who should care

Linux system administrators, kernel maintainers, virtualization platform operators, and security teams monitoring for local privilege escalation or denial-of-service vectors in framebuffer subsystems

Technical summary

The RIVA NV3 framebuffer driver computes FIFO arbitration parameters in nv3_arb() using state->mclk_khz as a divisor. This value is derived from the PRAMDAC MCLK PLL register and is not validated before use. A malicious or misconfigured PCI device (including emulated hardware) can present a zero MCLK value, causing a divide error when the FBIOPUT_VSCREENINFO ioctl triggers mode setting. The call path is: fb_ioctl → do_fb_ioctl → fb_set_var → rivafb_set_par → riva_load_video_mode → CalcStateExt → nv3UpdateArbitrationSettings → nv3CalcArbitration.constprop.0 → nv3_get_param → nv3_arb. The fix adds a zero check on state->mclk_khz with early bailout before the gns division.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your branch: 5.10.251+, 5.15.201+, 6.1.164+, 6.6.127+, 6.12.74+, 6.18.13+, or 6.19.3+
• If the rivafb driver is not required, consider disabling it via kernel module blacklist or build configuration
• Restrict access to framebuffer devices (/dev/fb*) to trusted users to reduce local attack surface
• Monitor for unexpected divide error kernel panics involving riva_hw.c or nv3_arb as potential exploitation indicators
• Review PCI device attachments for unauthorized or unexpected emulated hardware in virtualized environments

Evidence notes

CVE published 2026-03-18; modified 2026-05-29. NVD CPE identifies Linux kernel versions from 2.6.12 through multiple stable branches as affected. CWE-369 (Divide By Zero) assigned by NVD. Eight stable kernel patches referenced. No KEV entry. CVSS 3.1: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H = 5.5 Medium.

Official resources