Use of Uninitialized Variable in Linux kernel - CVE-2026-23358

 

Use of Uninitialized Variable in Linux kernel - CVE-2026-23358

Published: March 25, 2026


Vulnerability identifier: #VU124488
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23358
CWE-ID: CWE-457
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code and escalate privileges.

The vulnerability exists due to improper initialization in the DRM/AMDGPU subsystem when handling error conditions during slot reset. A local user can trigger a use of uninitialized memory to execute arbitrary code and escalate privileges.

The issue arises from an uninitialized hive pointer and list, which may be accessed if the device fails to recover after a slot reset, leading to memory corruption.


How to mitigate CVE-2026-23358

Install security update from vendor's repository.

Sources