CVE-2026-23354
Received Received - Intake
Speculative Execution Flaw in Linux Kernel x86 fred_extint

Publication date: 2026-03-25

Last updated on: 2026-04-24

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: x86/fred: Correct speculative safety in fred_extint() array_index_nospec() is no use if the result gets spilled to the stack, as it makes the believed safe-under-speculation value subject to memory predictions. For all practical purposes, this means array_index_nospec() must be used in the expression that accesses the array. As the code currently stands, it's the wrong side of irqentry_enter(), and 'index' is put into %ebp across the function call. Remove the index variable and reposition array_index_nospec(), so it's calculated immediately before the array access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23354
EUVD
EUVD-2026-15329
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
linux linux_kernel 6.9
linux linux_kernel From 6.19 (inc) to 6.19.7 (exc)
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 6.13 (inc) to 6.18.17 (exc)
linux linux_kernel From 6.9.1 (inc) to 6.12.77 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Linux kernel relates to the incorrect use of the function array_index_nospec() in the x86/fred component, specifically in the fred_extint() function. The function array_index_nospec() is intended to prevent speculative execution attacks by ensuring that array indices are safe under speculation. However, if the result of array_index_nospec() is spilled to the stack, it becomes vulnerable to memory prediction attacks. In this case, the index variable is stored across a function call, which undermines the protection. The fix involves removing the index variable and repositioning the array_index_nospec() call so that it is calculated immediately before the array access, ensuring proper speculative safety.

Impact Analysis

This vulnerability can potentially allow attackers to exploit speculative execution side channels to read sensitive data from memory that should be protected. Because the speculative safety mechanism is incorrectly applied, it may lead to unauthorized disclosure of information through memory prediction attacks, which can compromise system security and confidentiality.

Mitigation Strategies

The vulnerability is resolved by correcting the speculative safety in the fred_extint() function in the Linux kernel. Specifically, the fix involves removing the index variable and repositioning array_index_nospec() so it is calculated immediately before the array access.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart