CVE-2026-23467 Linux CVE debrief

Who should care

Linux system administrators managing Intel graphics-equipped workstations and servers; kernel maintainers for distributions shipping affected kernel versions; security teams monitoring local privilege escalation and denial-of-service vectors in graphics subsystems

Technical summary

The vulnerability stems from incorrect hardware state tracking in Intel's i915 display driver. The function `intel_dmc_update_dc6_allowed_count()` dereferences a NULL `dmc` pointer when called during early probe, before `intel_dmc_init()` completes initialization. The call chain: `intel_power_domains_init_hw()` → `{skl,bxt,icl}_display_core_init()` → `gen9_set_dc_state()` → `intel_dmc_update_dc6_allowed_count()`. The condition for calling this function depends on DC6 state comparison; when target is disabled but DC6 is enabled in hardware, the NULL dereference occurs. The root cause fix changes from hardware DC6 state (`HW`) to software DC6 state (`SW`) for counter tracking, which is architecturally correct since the counter stop operation requires DC5 counter values captured at counter start time.

Defensive priority

medium

Recommended defensive actions

• Apply stable kernel patches from kernel.org for affected versions (6.16-6.18.19, 6.19-6.19.9, 7.0-rc1 through rc4)
• Upgrade to Linux kernel 6.18.20, 6.19.10, or later stable releases where this fix is integrated
• Monitor system logs for i915 driver oops messages during boot probe sequence on Intel graphics systems
• Verify DC6 power state handling in BIOS/firmware configurations to prevent unintended hardware state enabling

Evidence notes

CVE description confirms NULL pointer dereference in drm/i915/dmc at probe time. CPE criteria specify affected kernel versions: 6.16-6.18.19, 6.19-6.19.9, and 7.0-rc1 through rc4. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 5.5 (MEDIUM). CWE-476 (NULL Pointer Dereference) assigned by NVD. Three kernel.org stable patches provided as fixes.

Official resources