CVE-2026-23266
Analyzed Analyzed - Analysis Complete
Divide-by-Zero Vulnerability in Linux rivafb Driver Causes Kernel Crash

Publication date: 2026-03-18

Last updated on: 2026-05-29

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23266
EUVD
EUVD-2026-12907
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel From 5.16 (inc) to 6.1.164 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.201 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.127 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.74 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.13 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.3 (exc)
linux linux_kernel From 2.6.12.1 (inc) to 5.10.251 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's rivafb driver, specifically in the nv3_arb() function. A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. The driver recalculates FIFO arbitration parameters using a value called state->mclk_khz as a divisor without validating it first.

Normally, state->mclk_khz is provided by real hardware and is non-zero. However, an attacker can create a malicious or misconfigured device that exposes a bogus PLL configuration, causing state->mclk_khz to be zero. When the driver attempts to divide by this zero value, it causes a divide error that crashes the kernel.

The vulnerability is fixed by adding a check to ensure state->mclk_khz is not zero before performing the division, preventing the kernel crash.

Impact Analysis

This vulnerability can be exploited by a userspace program to crash the Linux kernel, causing a denial of service (DoS) condition. By triggering a divide-by-zero error in the rivafb driver, an attacker can cause the system to become unstable or unresponsive.

If an attacker has the ability to provide a crafted or emulated PCI device or otherwise manipulate the framebuffer device, they can exploit this flaw to disrupt system operations.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by observing kernel logs for a specific divide error related to the rivafb driver when the FBIOPUT_VSCREENINFO ioctl is called on /dev/fb* devices.

A typical log message indicating this issue includes lines such as:

  • rivafb: setting virtual Y resolution to 2184
  • divide error: 0000 [#1] PREEMPT SMP KASAN PTI
  • RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439

To detect this on your system, you can check the kernel ring buffer or system logs using commands like:

  • dmesg | grep rivafb
  • journalctl -k | grep rivafb
  • journalctl -k | grep 'divide error'

Additionally, monitoring for crashes or kernel panics related to /dev/fb* ioctl calls may help identify attempts to trigger this vulnerability.

Mitigation Strategies

The immediate mitigation step is to update the Linux kernel to a version where this vulnerability has been fixed.

The fix involves validating the state->mclk_khz value before performing division in the nv3_arb() function to prevent divide errors and kernel crashes.

Until the kernel is updated, avoid running or allowing userspace programs to call the FBIOPUT_VSCREENINFO ioctl on /dev/fb* devices, especially if the system uses the rivafb driver.

If possible, restrict access to /dev/fb* devices to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart