#VU124205 Resource exhaustion in Linux kernel - CVE-2026-23244
Published: March 20, 2026
Vulnerability identifier: #VU124205
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23244
CWE-ID: CWE-400
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper input validation in the nvme_pr_read_keys() function when processing a user-provided num_keys value. A local user can send a specially crafted request with a large num_keys value to cause excessive memory allocation attempts, leading to a denial of service.
Exploitation requires local system access and the ability to invoke NVMe ioctl commands. No authentication beyond standard system access is required.
Remediation
Install security update from vendor's repository.