PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23285 Linux CVE debrief

CVE-2026-23285 is a Linux kernel availability issue in DRBD. In drbd_request_endio(), READ_COMPLETED_WITH_ERROR can reach __req_mod() with a NULL peer_device, and the handler then passes that NULL value into drbd_set_out_of_sync(), causing a null-pointer dereference. The supplied NVD record rates the issue CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-05-22
Advisory published
2026-03-25
Advisory updated
2026-05-22

Who should care

Linux kernel administrators, especially teams running kernels with DRBD and environments where local users or low-privilege processes can access affected systems. Release and patch management teams should also care because remediation is branch-specific.

Technical summary

The bug is in the local read-error path. drbd_request_endio() invokes __req_mod(req, what, NULL, &m) for READ_COMPLETED_WITH_ERROR, so peer_device is NULL. The READ_COMPLETED_WITH_ERROR handler then unconditionally forwards that NULL pointer to drbd_set_out_of_sync(), which dereferences it. The fix is to obtain the peer device with first_peer_device(device), matching the handling used by drbd_req_destroy().

Defensive priority

Medium. The flaw is local-only and affects availability rather than confidentiality or integrity, but a kernel null-pointer dereference can still crash the system or interrupt service. Prioritize systems running affected kernel branches with DRBD in use.

Recommended defensive actions

  • Apply the kernel fix or update to a non-vulnerable release for your branch: 6.6.130 or later, 6.12.77 or later, 6.18.17 or later, 6.19.7 or later, or the release containing the 7.0-rc1 fix.
  • Confirm whether DRBD is present on Linux kernel hosts in scope, including vendor kernels that may carry backports.
  • Validate any vendor backport against the published kernel.org patch references before marking systems remediated.
  • If immediate patching is not possible, reduce exposure to local untrusted users on affected systems until updates are applied.

Evidence notes

The supplied CVE description states that READ_COMPLETED_WITH_ERROR can pass a NULL peer_device into drbd_set_out_of_sync(), resulting in a null-pointer dereference, and that the fix uses first_peer_device(device). The NVD record identifies CWE-476 and CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, and lists branch-specific vulnerable version ranges plus five official kernel.org patch references. This debrief uses only the provided corpus and official links.

Official resources

Published in the supplied CVE record on 2026-03-25T11:16:23.247Z and modified in the supplied NVD record on 2026-05-22T00:12:09.970Z. The patch references were present in the supplied source corpus alongside the modified record.