PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23327 Linux CVE debrief

A slab-out-of-bounds read vulnerability exists in the Linux kernel's CXL (Compute Express Link) mailbox subsystem. The function `cxl_payload_from_user_allowed()` in `drivers/cxl/core/mbox.c` casts and dereferences user-supplied payload data without first validating that the payload size is sufficient for the expected structure. When a raw mailbox command is issued with an undersized payload—for example, a 1-byte payload for `CXL_MBOX_OP_CLEAR_LOG` which expects a 16-byte UUID—the `uuid_equal()` comparison reads beyond the allocated buffer boundary. This triggers a KASAN (Kernel Address Sanitizer) splat and represents an out-of-bounds read condition (CWE-125). The vulnerability is reachable through the `cxl_send_cmd` ioctl path, allowing a local attacker with access to CXL memory device character devices to induce kernel memory disclosure or crash conditions. The fix adds an `in_size` parameter to `cxl_payload_from_user_allowed()` and enforces minimum payload size validation before any structure dereference occurs.

Vendor
Linux
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-25
Original CVE updated
2026-06-01
Advisory published
2026-03-25
Advisory updated
2026-06-01

Who should care

Linux kernel maintainers, system administrators running CXL-enabled hardware, cloud providers offering bare-metal instances with CXL memory expansion, and security teams monitoring for local kernel information disclosure vulnerabilities.

Technical summary

The CXL (Compute Express Link) driver subsystem in the Linux kernel fails to validate user-supplied mailbox payload sizes before casting and dereferencing payload contents in `cxl_payload_from_user_allowed()`. A raw mailbox command with an undersized payload causes `uuid_equal()` to read past buffer boundaries, resulting in a slab-out-of-bounds read detectable by KASAN. The vulnerability is exposed through the `cxl_memdev_ioctl` path and affects local attackers with access to CXL memory device interfaces. The resolution introduces explicit `in_size` parameter validation to ensure payload buffers meet minimum size requirements before structure access.

Defensive priority

high

Recommended defensive actions

  • Apply the upstream kernel patches that add `in_size` validation to `cxl_payload_from_user_allowed()` for all affected kernel versions (5.19.x through 6.19.6, and 7.0-rc series).
  • If patching is not immediately feasible, restrict access to CXL memory device nodes (`/dev/cxl/*`) to trusted administrative users only, as the attack vector requires local access and privileges to open these device file
  • Monitor kernel logs for KASAN slab-out-of-bounds reports originating from `drivers/cxl/core/mbox.c` as potential exploitation indicators
  • Upgrade to Linux kernel 6.19.7 or later, or apply the stable backports referenced in the patch commits, once available from distribution vendors
  • Review custom or third-party CXL management tools that issue raw mailbox commands to ensure they validate payload sizes before kernel submission

Evidence notes

The vulnerability description and KASAN stack trace are sourced directly from the CVE record. The affected function `cxl_payload_from_user_allowed()` and file `drivers/cxl/core/mbox.c` are explicitly named in the trace. The fix description—adding `in_size` parameter and validating payload size—is stated in the resolution text. CPE criteria indicate affected Linux kernel versions from 5.19.1 through 6.19.6, plus 5.19 initial release and 7.0-rc1 through 7.0-rc7. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H yields the provided score of 7.1 (HIGH).

Official resources

2026-03-25T11:16:29.837Z