CVE-2026-23327
Received Received - Intake
Out-of-Bounds Read in Linux Kernel CXL Mailbox Payload Validation

Publication date: 2026-03-25

Last updated on: 2026-04-23

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG, which expects a 16-byte UUID), uuid_equal() reads past the allocated buffer, triggering a KASAN splat: BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683 Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258 CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xce/0x650 mm/kasan/report.c:482 kasan_report+0xce/0x100 mm/kasan/report.c:595 memcmp+0x176/0x1d0 lib/string.c:683 uuid_equal include/linux/uuid.h:73 [inline] cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline] cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline] cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline] cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643 __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline] cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdaf331ba79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79 RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003 RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768 </TASK> Add 'in_size' parameter to cxl_payload_from_user_allowed() and validate the payload is large enough.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-23
Generated
2026-05-07
AI Q&A
2026-03-25
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23327
EUVD
EUVD-2026-15281
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
linux linux_kernel 5.19
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.19.1 (inc) to 6.19.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's cxl/mbox component, specifically in the function cxl_payload_from_user_allowed(). The function casts and dereferences an input payload without first verifying its size. If a raw mailbox command is sent with an undersized payload (for example, 1 byte instead of the expected 16-byte UUID for the CXL_MBOX_OP_CLEAR_LOG operation), the function uuid_equal() reads beyond the allocated buffer. This causes a kernel memory out-of-bounds read, triggering a Kernel Address Sanitizer (KASAN) error.

The issue was fixed by adding an 'in_size' parameter to the function and validating that the payload is large enough before accessing its contents.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to perform out-of-bounds memory reads, which may lead to system instability or crashes due to the KASAN slab-out-of-bounds error. Such behavior can disrupt normal system operations and potentially be exploited to leak sensitive kernel memory contents or cause denial of service.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel memory out-of-bounds read triggered by sending a raw mailbox command with an undersized payload to the Linux kernel's cxl subsystem.

Detection can involve monitoring kernel logs for KASAN (Kernel Address Sanitizer) slab-out-of-bounds errors related to memcmp or uuid_equal functions, which indicate attempts to exploit this vulnerability.

Specifically, look for log entries similar to: "BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683".

Commands to check kernel logs include:

  • dmesg | grep -i kasan
  • journalctl -k | grep -i kasan
  • grep -i 'slab-out-of-bounds' /var/log/kern.log

Additionally, monitoring for unusual ioctl calls to the cxl_memdev device or raw mailbox commands with undersized payloads could help detect exploitation attempts, but specific commands for this are not provided.


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to update the Linux kernel to a version that includes the fix for this vulnerability, which adds payload size validation in the cxl_payload_from_user_allowed() function.

Until the kernel is updated, consider restricting access to the cxl mailbox interface to trusted users only, as exploitation requires sending crafted raw mailbox commands.

Monitoring kernel logs for KASAN errors can also help detect exploitation attempts early.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart