CVE-2026-23266
Received Received - Intake
Divide-by-Zero Vulnerability in Linux rivafb Driver Causes Kernel Crash

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23266
EUVD
EUVD-2026-12907
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel 5.18.0-rc1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's rivafb driver, specifically in the nv3_arb() function. A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. The driver recalculates FIFO arbitration parameters using a value called state->mclk_khz as a divisor without validating it first.

Normally, state->mclk_khz is provided by real hardware and is non-zero. However, an attacker can create a malicious or misconfigured device that exposes a bogus PLL configuration, causing state->mclk_khz to be zero. When the driver attempts to divide by this zero value, it causes a divide error that crashes the kernel.

The vulnerability is fixed by adding a check to ensure state->mclk_khz is not zero before performing the division, preventing the kernel crash.


How can this vulnerability impact me? :

This vulnerability can be exploited by a userspace program to crash the Linux kernel, causing a denial of service (DoS) condition. By triggering a divide-by-zero error in the rivafb driver, an attacker can cause the system to become unstable or unresponsive.

If an attacker has the ability to provide a crafted or emulated PCI device or otherwise manipulate the framebuffer device, they can exploit this flaw to disrupt system operations.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing kernel logs for a specific divide error related to the rivafb driver when the FBIOPUT_VSCREENINFO ioctl is called on /dev/fb* devices.

A typical log message indicating this issue includes lines such as:

  • rivafb: setting virtual Y resolution to 2184
  • divide error: 0000 [#1] PREEMPT SMP KASAN PTI
  • RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439

To detect this on your system, you can check the kernel ring buffer or system logs using commands like:

  • dmesg | grep rivafb
  • journalctl -k | grep rivafb
  • journalctl -k | grep 'divide error'

Additionally, monitoring for crashes or kernel panics related to /dev/fb* ioctl calls may help identify attempts to trigger this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Linux kernel to a version where this vulnerability has been fixed.

The fix involves validating the state->mclk_khz value before performing division in the nv3_arb() function to prevent divide errors and kernel crashes.

Until the kernel is updated, avoid running or allowing userspace programs to call the FBIOPUT_VSCREENINFO ioctl on /dev/fb* devices, especially if the system uses the rivafb driver.

If possible, restrict access to /dev/fb* devices to trusted users only.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart