Main Vulnerability Database Vulnerabilities #VU124474

Improper Synchronization in Linux kernel - CVE-2026-23361

Published: March 25, 2026

Vulnerability identifier: #VU124474

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23361

CWE-ID: CWE-662

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Linux Foundation

Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service, disclose sensitive information, and potentially execute arbitrary code.

The vulnerability exists due to improper synchronization in the PCI driver's MSI-X interrupt handling when unmapping the outbound ATU entry. A local user can trigger the dw_pcie_ep_raise_msix_irq() function to raise an MSI-X interrupt via a posted write transaction that may not complete before the associated ATU entry is unmapped, leading to memory corruption or IOMMU faults.

The issue arises because the writel() operation used to generate the PCI posted write transaction can return before the write reaches its destination, creating a race condition with the subsequent unmap operation. This can result in memory corruption on the host system, including potential access to unauthorized memory regions or system instability.

How to mitigate CVE-2026-23361

Install security update from vendor's repository.

Improper Synchronization in Linux kernel - CVE-2026-23361

Detailed vulnerability description

How to mitigate CVE-2026-23361

Sources

Please verify you're human