CVE-2026-23470 Linux CVE debrief

Who should care

Linux system administrators running kernels with Imagination Technologies GPU support; embedded/IoT device manufacturers using PowerVR or similar Imagination GPUs; organizations with custom kernel builds targeting ARM or RISC-V platforms with integrated Imagination graphics

Technical summary

The vulnerability is a classic deadlock in kernel interrupt handling. The drm/imagination driver's soft reset sequence runs in a threaded IRQ handler context. When this code path calls disable_irq(), the kernel's IRQ synchronization mechanism attempts to wait for all handlers for that IRQ to complete—including the currently executing threaded handler. This creates a circular wait condition where the handler waits for itself, resulting in a soft lockup or deadlock. The resolution uses disable_irq_nosync(), which disables the IRQ without waiting for current handlers to complete, breaking the circular dependency. This vulnerability is exploitable only locally with low privileges and results in availability impact (system hang/lockup) but no data compromise.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches: 6.12.78+, 6.18.20+, 6.19.10+, or 7.0-rc5+
• If patching is not immediately feasible, monitor systems for GPU driver hangs or soft lockups in dmesg logs indicating potential deadlock conditions
• Review custom kernel builds using Imagination Technologies GPU drivers for inclusion of this fix
• Validate kernel version through 'uname -r' and compare against affected version ranges

Evidence notes

CVE published 2026-04-03; modified 2026-05-26. NVD status: Analyzed. CVSS 3.1 vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. CWE-667 (Improper Locking). Affects Linux kernel versions 6.8 through 6.12.77, 6.13 through 6.18.19, 6.19 through 6.19.9, and 7.0-rc1 through rc4.

Official resources