Improper input validation in Linux kernel - CVE-2026-23424

 

Improper input validation in Linux kernel - CVE-2026-23424

Published: April 6, 2026


Vulnerability identifier: #VU124947
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23424
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel

Detailed vulnerability description

The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to improper input validation in the command buffer payload count handling in accel/amdxdna when parsing input. A local user can provide a specially crafted command buffer with an invalid payload count to cause a denial of service.

The issue is caused by using the count field in the command header to determine the valid payload size without ensuring that the payload does not exceed the remaining buffer space.


How to mitigate CVE-2026-23424

Install security update from vendor's repository.

Sources