{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: cxl: Fix race of nvdimm_bus object when creating nvdimm objects",
    "id" : "2451259",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2451259"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-820",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\ncxl: Fix race of nvdimm_bus object when creating nvdimm objects\nFound issue during running of cxl-translate.sh unit test. Adding a 3s\nsleep right before the test seems to make the issue reproduce fairly\nconsistently. The cxl_translate module has dependency on cxl_acpi and\ncauses orphaned nvdimm objects to reprobe after cxl_acpi is removed.\nThe nvdimm_bus object is registered by the cxl_nvb object when\ncxl_acpi_probe() is called. With the nvdimm_bus object missing,\n__nd_device_register() will trigger NULL pointer dereference when\naccessing the dev->parent that points to &nvdimm_bus->dev.\n[  192.884510] BUG: kernel NULL pointer dereference, address: 000000000000006c\n[  192.895383] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS edk2-20250812-19.fc42 08/12/2025\n[  192.897721] Workqueue: cxl_port cxl_bus_rescan_queue [cxl_core]\n[  192.899459] RIP: 0010:kobject_get+0xc/0x90\n[  192.924871] Call Trace:\n[  192.925959]  <TASK>\n[  192.926976]  ? pm_runtime_init+0xb9/0xe0\n[  192.929712]  __nd_device_register.part.0+0x4d/0xc0 [libnvdimm]\n[  192.933314]  __nvdimm_create+0x206/0x290 [libnvdimm]\n[  192.936662]  cxl_nvdimm_probe+0x119/0x1d0 [cxl_pmem]\n[  192.940245]  cxl_bus_probe+0x1a/0x60 [cxl_core]\n[  192.943349]  really_probe+0xde/0x380\nThis patch also relies on the previous change where\ndevm_cxl_add_nvdimm_bridge() is called from drivers/cxl/pmem.c instead\nof drivers/cxl/core.c to ensure the dependency of cxl_acpi on cxl_pmem.\n1. Set probe_type of cxl_nvb to PROBE_FORCE_SYNCHRONOUS to ensure the\ndriver is probed synchronously when add_device() is called.\n2. Add a check in __devm_cxl_add_nvdimm_bridge() to ensure that the\ncxl_nvb driver is attached during cxl_acpi_probe().\n3. Take the cxl_root uport_dev lock and the cxl_nvb->dev lock in\ndevm_cxl_add_nvdimm() before checking nvdimm_bus is valid.\n4. Set cxl_nvdimm flag to CXL_NVD_F_INVALIDATED so cxl_nvdimm_probe()\nwill exit with -EBUSY.\nThe removal of cxl_nvdimm devices should prevent any orphaned devices\nfrom probing once the nvdimm_bus is gone.\n[ dj: Fixed 0-day reported kdoc issue. ]\n[ dj: Fix cxl_nvb reference leak on error. Gregory (kreview-0811365) ]", "A flaw was found in the Linux kernel, specifically within the CXL (Compute Express Link) and NVDIMM (Non-Volatile Dual In-line Memory Module) subsystems. A race condition can occur when NVDIMM objects attempt to reprobe after the `cxl_acpi` module is removed, while the `nvdimm_bus` object is missing. This can lead to a null pointer dereference, causing the system to crash and resulting in a Denial of Service (DoS)." ],
  "statement" : "This flaw affects systems with CXL memory devices and NVDIMM support. The race occurs during module unload/reload sequences when orphaned nvdimm objects reprobe after cxl_acpi removal. The missing nvdimm_bus causes NULL dereference in __nd_device_register(). Primarily affects CXL-capable systems during module operations.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-23348\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23348\nhttps://lore.kernel.org/linux-cve-announce/2026032536-CVE-2026-23348-e792@gregkh/T" ],
  "name" : "CVE-2026-23348",
  "csaw" : false
}