{ "threat_severity" : "Moderate", "public_date" : "2026-03-18T00:00:00Z", "bugzilla" : { "description" : "kernel: Kernel: Denial of Service via DVB DVR ringbuffer reinitialization flaw", "id" : "2448685", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448685" }, "cvss3" : { "cvss3_base_score" : "6.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", "status" : "draft" }, "cwe" : "CWE-664", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\nSince dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init(). The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock.", "A flaw was found in the Linux kernel's Digital Video Broadcast (DVB) Digital Video Recorder (DVR) subsystem. A local user can exploit this vulnerability by performing local file operations on the DVR device. This occurs because the dvb_dvr_open function incorrectly reinitializes a shared ringbuffer's waitqueue, leading to orphaned entries and list corruption. This can result in kernel crashes or other unexpected behavior, causing a Denial of Service (DoS)." ], "statement" : "A kernel bug in the DVB DVR open path can corrupt a shared waitqueue because dvb_dvr_open reinitializes the ringbuffer using dvb_ringbuffer_init on every new reader. The ringbuffer init routine resets the waitqueue head even though the waitqueue is shared across all opens of the same DVR device. If there are existing waitqueue entries from epoll or io_uring poll, reinitializing the list head can orphan those entries and leave them with stale prev and next pointers. This can lead to list corruption and later kernel crashes or other unexpected behavior when the stale entries are processed. The issue is not network reachable and is triggered by local file operations on the DVR device.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23253\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23253\nhttps://lore.kernel.org/linux-cve-announce/2026031846-CVE-2026-23253-b1c6@gregkh/T" ], "name" : "CVE-2026-23253", "mitigation" : { "value" : "To mitigate this issue, prevent module dvb-core from being loaded. Please see https://access.redhat.com/solutions/41278 for how to blacklist a kernel module to prevent it from loading automatically.", "lang" : "en:us" }, "csaw" : false }