CVE-2026-23433
Null Pointer Dereference in Linux arm_mpam Bandwidth Counters
Publication date: 2026-04-03
Last updated on: 2026-04-23
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 6.19 |
| linux | linux_kernel | From 6.19.1 (inc) to 6.19.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Linux kernel's arm_mpam component, which handles memory bandwidth monitoring. When a memory system controller (MSC) that supports bandwidth monitoring is taken offline and then brought back online, a function called mpam_restore_mbwu_state() attempts to restore bandwidth counter configurations by calling __ris_msmon_read(). However, it does not properly initialize a local variable (mbwu_arg.val) before passing it, leading to a null pointer dereference inside __ris_msmon_read(). This causes a kernel crash (kernel oops) with a specific call trace.
How can this vulnerability impact me? :
The vulnerability can cause the Linux kernel to crash unexpectedly due to a null pointer dereference. This kernel oops can lead to system instability, potential denial of service, and interruption of normal operations on affected systems using the arm_mpam memory bandwidth monitoring feature.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability results in a kernel oops caused by a null pointer dereference in the Linux kernel when restoring memory bandwidth counters. Detection would involve monitoring for kernel oops messages or call traces related to __ris_msmon_read and mpam_restore_mbwu_state.
- Check the kernel logs (e.g., using dmesg) for oops messages or call traces containing __ris_msmon_read and mpam_restore_mbwu_state.
- Use the command: dmesg | grep -E '__ris_msmon_read|mpam_restore_mbwu_state' to filter relevant kernel messages.
- Monitor system stability for unexpected kernel crashes or oops events related to memory bandwidth monitoring.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been resolved by providing a local variable to avoid null pointer dereference in the kernel code. Immediate mitigation steps include updating the Linux kernel to a version that contains this fix.
- Apply the latest Linux kernel updates or patches that address this specific issue.
- If updating immediately is not possible, consider disabling memory bandwidth monitoring features (MSC) temporarily to avoid triggering the vulnerable code path.
- Monitor kernel logs for related errors and avoid bringing MSC offline and online until patched.