CVE-2026-23094 Overview
CVE-2026-23094 is a vulnerability in the Linux kernel's uacce (Unified/User-space-access intended Accelerator Framework) subsystem that affects the device isolation feature's sysfs interface. The vulnerability exists in the check condition for creating sysfs files related to device isolation error threshold configuration.
The uacce subsystem supports a device isolation feature that creates sysfs files when drivers implement isolate_err_threshold_read and isolate_err_threshold_write callback functions. Users can read and configure isolation policies through these sysfs interfaces. However, the current implementation creates sysfs files when either callback function is present, without properly validating that both functions exist before allowing access.
Critical Impact
Accessing a non-existent callback function through the sysfs interface may cause system crashes, resulting in denial of service conditions on affected Linux systems.
Affected Products
- Linux kernel with uacce subsystem enabled
- Systems utilizing Unified/User-space-access intended Accelerator Framework
- Linux distributions with accelerator device isolation features
Discovery Timeline
- 2026-02-04 - CVE CVE-2026-23094 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2026-23094
Vulnerability Analysis
This vulnerability represents a Null Pointer Dereference issue in the Linux kernel's uacce subsystem. The core problem lies in how the sysfs interface handles callback function validation for device isolation features.
When a driver implements the device isolation feature, it may provide one or both of the isolate_err_threshold_read and isolate_err_threshold_write callback functions. The original implementation would create sysfs files as long as either callback was present, but failed to properly intercept operations at the call site when attempting to invoke a non-existent callback.
This means if a driver only implements the read callback but not the write callback (or vice versa), a user attempting to perform the unsupported operation through sysfs would trigger an attempt to call a NULL function pointer, resulting in a kernel crash.
Root Cause
The root cause is an improper check condition in the uacce sysfs creation logic. The code failed to:
- Properly validate that neither read nor write callbacks exist before allowing sysfs file creation
- Intercept unsupported operations at the call site when only one callback is implemented
The fix addresses this by implementing a two-pronged approach: intercepting sysfs creation if neither read nor write callback exists, and intercepting unsupported operations at the call site when the sysfs is created with partial callback support.
Attack Vector
The vulnerability can be triggered through the sysfs interface. An attacker with local access to the system could:
- Identify systems with uacce drivers that implement only partial callback functions (either read or write, but not both)
- Access the sysfs interface for device isolation configuration
- Attempt to perform an operation (read or write) that corresponds to the non-existent callback
- Trigger a kernel panic due to the NULL pointer dereference
This requires local access to the system and the ability to interact with the sysfs interface, typically requiring elevated privileges or specific group membership.
The vulnerability mechanism involves improper callback function validation in the uacce sysfs creation logic. When sysfs files are created with partial callback support and an unsupported operation is attempted, the kernel attempts to invoke a NULL function pointer. For detailed implementation specifics, refer to the kernel git commits linked in the external references.
Detection Methods for CVE-2026-23094
Indicators of Compromise
- Unexpected kernel panics or oops messages related to uacce or accelerator device drivers
- System crashes occurring when users interact with /sys/class/uacce/ directory entries
- Kernel log entries showing NULL pointer dereference in uacce-related code paths
- Anomalous read/write attempts to isolation threshold sysfs files
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors in uacce subsystem functions
- Implement system monitoring for unexpected crashes in systems with accelerator devices
- Use kernel debugging tools to track sysfs access patterns to uacce device entries
- Deploy crash dump analysis to identify exploitation attempts
Monitoring Recommendations
- Enable kernel crash dump collection for forensic analysis
- Monitor sysfs access to /sys/class/uacce/*/isolate_err_threshold files
- Implement auditd rules to log access to uacce sysfs interfaces
- Configure alerting for kernel oops or panic events on systems with accelerator hardware
How to Mitigate CVE-2026-23094
Immediate Actions Required
- Apply the kernel patches from the stable kernel git repository immediately
- Restrict access to the uacce sysfs interface to authorized users only
- Monitor systems for crash events that may indicate exploitation attempts
- Consider disabling uacce functionality if not required until patches are applied
Patch Information
The Linux kernel team has released fixes through multiple commits to address this vulnerability. The patches implement proper validation of callback functions and intercept unsupported operations at the call site.
Available patch commits:
- Kernel Git Commit 82821a6
- Kernel Git Commit 98eec34
- Kernel Git Commit 9ab05cd
- Kernel Git Commit fdbbb47
System administrators should update to the latest stable kernel version that includes these fixes.
Workarounds
- Restrict sysfs access permissions to prevent unauthorized users from accessing uacce device interfaces
- Remove or disable uacce kernel module if accelerator device isolation features are not required
- Implement mandatory access control policies (SELinux/AppArmor) to limit access to affected sysfs entries
- Monitor and alert on any access attempts to the affected sysfs paths
# Restrict access to uacce sysfs (temporary workaround)
# This limits access to root user only
chmod 600 /sys/class/uacce/*/isolate_err_threshold 2>/dev/null
# Alternatively, disable the uacce module if not needed
modprobe -r uacce
# Add to modprobe blacklist for persistence
echo "blacklist uacce" >> /etc/modprobe.d/blacklist-uacce.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
