CVE-2026-23236 (GCVE-0-2026-23236)
Vulnerability from cvelistv5 – Published: 2026-03-04 14:36 – Updated: 2026-03-04 14:36
VLAI?
Title
fbdev: smscufx: properly copy ioctl memory to kernelspace
Summary
In the Linux kernel, the following vulnerability has been resolved:
fbdev: smscufx: properly copy ioctl memory to kernelspace
The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
userspace to kernelspace, and instead directly references the memory,
which can cause problems if invalid data is passed from userspace. Fix
this all up by correctly copying the memory before accessing it within
the kernel.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 061cfeb560aa3ddc174153dbe5be9d0b55eb7248
(git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6167af934f956d3ae1e06d61f45cd0d1004bbe1a (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a0321e6e58facb39fe191caa0e52ed9aab6a48fe (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0634e8d650993602fc5b389ff7ac525f6542e141 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 52917e265aa5f848212f60fc50fc504d8ef12866 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1c008ad0f0d1c1523902b9cdb08e404129677bfc (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 120adae7b42faa641179270c067864544a50ab69 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "061cfeb560aa3ddc174153dbe5be9d0b55eb7248",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "6167af934f956d3ae1e06d61f45cd0d1004bbe1a",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "a0321e6e58facb39fe191caa0e52ed9aab6a48fe",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "0634e8d650993602fc5b389ff7ac525f6542e141",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "52917e265aa5f848212f60fc50fc504d8ef12866",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "1c008ad0f0d1c1523902b9cdb08e404129677bfc",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
},
{
"lessThan": "120adae7b42faa641179270c067864544a50ab69",
"status": "affected",
"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"drivers/video/fbdev/smscufx.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.251",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.201",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"version": "6.1.164",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"version": "6.6.127",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.12.*",
"status": "unaffected",
"version": "6.12.74",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.18.*",
"status": "unaffected",
"version": "6.18.13",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.19.*",
"status": "unaffected",
"version": "6.19.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "7.0-rc1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.251",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.201",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1.164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.6.127",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.12.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.18.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.19.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "7.0-rc1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace. Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel."
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T14:36:40.162Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248"
},
{
"url": "https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a"
},
{
"url": "https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe"
},
{
"url": "https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141"
},
{
"url": "https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866"
},
{
"url": "https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc"
},
{
"url": "https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02"
},
{
"url": "https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69"
}
],
"title": "fbdev: smscufx: properly copy ioctl memory to kernelspace",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2026-23236",
"datePublished": "2026-03-04T14:36:40.162Z",
"dateReserved": "2026-01-13T15:37:45.988Z",
"dateUpdated": "2026-03-04T14:36:40.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-23236\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-03-04T15:16:14.173\",\"lastModified\":\"2026-03-04T18:08:05.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nfbdev: smscufx: properly copy ioctl memory to kernelspace\\n\\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\\nuserspace to kernelspace, and instead directly references the memory,\\nwhich can cause problems if invalid data is passed from userspace. Fix\\nthis all up by correctly copying the memory before accessing it within\\nthe kernel.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…