Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

DEBIAN-CVE-2026-23327

In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts...
Back to all
CVE

DEBIAN-CVE-2026-23327

In the Linux kernel, the following vulnerability has been resolved: cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed() cxl_payload_from_user_allowed() casts...

In the Linux kernel, the following vulnerability has been resolved:  cxl/mbox: validate payload size before accessing contents in cxlpayloadfromuserallowed()  cxlpayloadfromuserallowed() casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an undersized payload (ie: 1 byte for CXLMBOXOPCLEARLOG, which expects a 16-byte UUID), uuidequal() reads past the allocated buffer, triggering a KASAN splat:  BUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683 Read of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258  CPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 Call Trace:  <TASK>  dumpstack lib/dumpstack.c:94 [inline]  dumpstacklvl+0xab/0xe0 lib/dumpstack.c:120  printaddressdescription mm/kasan/report.c:378 [inline]  printreport+0xce/0x650 mm/kasan/report.c:482  kasanreport+0xce/0x100 mm/kasan/report.c:595  memcmp+0x176/0x1d0 lib/string.c:683  uuidequal include/linux/uuid.h:73 [inline]  cxlpayloadfromuserallowed drivers/cxl/core/mbox.c:345 [inline]  cxlmboxcmdctor drivers/cxl/core/mbox.c:368 [inline]  cxlvalidatecmdfromuser drivers/cxl/core/mbox.c:522 [inline]  cxlsendcmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643  cxlmemdevioctl drivers/cxl/core/memdev.c:698 [inline]  cxlmemdevioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713  vfsioctl fs/ioctl.c:51 [inline]  dosysioctl fs/ioctl.c:597 [inline]  sesysioctl fs/ioctl.c:583 [inline]  x64sysioctl+0x18e/0x210 fs/ioctl.c:583  dosyscallx64 arch/x86/entry/syscall64.c:63 [inline]  dosyscall64+0xa8/0x330 arch/x86/entry/syscall64.c:94  entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fdaf331ba79 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIGRAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79 RDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003 RBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768  </TASK>  Add 'insize' parameter to cxlpayloadfromuser_allowed() and validate the payload is large enough.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
C
H
U
-

Related Resources

No items found.

References

https://security-tracker.debian.org/tracker/CVE-2026-23327

Severity

7.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
6.19.8-1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading