CVE-2026-23305 - Vulnerability Details - OpenCVE

In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

No data.

No data.

References

Link	Providers
https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9
https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74
https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81

History

Wed, 25 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses.
Title		accel/rocket: fix unwinding in error path in rocket_probe
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9 https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74 https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-03-25T10:27:00.612Z

Updated: 2026-03-25T10:27:00.612Z

Reserved: 2026-01-13T15:37:45.993Z

Link: CVE-2026-23305

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T11:16:26.347

Modified: 2026-03-25T11:16:26.347

Link: CVE-2026-23305

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23305", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.993Z", "datePublished": "2026-03-25T10:27:00.612Z", "dateUpdated": "2026-03-25T10:27:00.612Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:00.612Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/rocket: fix unwinding in error path in rocket_probe\n\nWhen rocket_core_init() fails (as could be the case with EPROBE_DEFER),\nwe need to properly unwind by decrementing the counter we just\nincremented and if this is the first core we failed to probe, remove the\nrocket DRM device with rocket_device_fini() as well. This matches the\nlogic in rocket_remove(). Failing to properly unwind results in\nout-of-bounds accesses."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/rocket/rocket_drv.c"], "versions": [{"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "7fc4b49474c836cee7d9801abf05e0198fcbfa74", "status": "affected", "versionType": "git"}, {"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "eeaf28c8f4defe371a008a5ddefaf18abf534f81", "status": "affected", "versionType": "git"}, {"version": "0810d5ad88a18f1e6d549853a388ad0316f74e36", "lessThan": "34f4495a7f72895776b81969639f527c99eb12b9", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/accel/rocket/rocket_drv.c"], "versions": [{"version": "6.18", "status": "affected"}, {"version": "0", "lessThan": "6.18", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc1", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.18", "versionEndExcluding": "7.0-rc1"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/7fc4b49474c836cee7d9801abf05e0198fcbfa74"}, {"url": "https://git.kernel.org/stable/c/eeaf28c8f4defe371a008a5ddefaf18abf534f81"}, {"url": "https://git.kernel.org/stable/c/34f4495a7f72895776b81969639f527c99eb12b9"}], "title": "accel/rocket: fix unwinding in error path in rocket_probe", "x_generator": {"engine": "bippy-1.2.0"}}}}