CVE-2026-23128 Overview
A kernel vulnerability has been identified in the Linux kernel's arm64 architecture affecting the hibernate resume functionality. The issue occurs when swsusp_arch_resume() attempts to verify a Control Flow Integrity (CFI) hash during the hibernate resume process. Because swsusp_arch_suspend_exit() is marked with SYM_CODE_*() and lacks a CFI hash, the verification process fails when calling a copy of swsusp_arch_suspend_exit(), resulting in a Data Abort (DABT) exception.
This vulnerability manifests as a kernel panic during hibernate resume operations on Android-based systems running on arm64 architecture. The crash occurs specifically because of a level 3 translation fault when attempting to access a virtual address during CFI hash verification.
Critical Impact
System instability and kernel crash during hibernate resume on arm64 Android systems, causing denial of service and potential data loss from failed resume operations.
Affected Products
- Linux kernel on arm64 architecture with CFI enabled
- Android-based systems using hibernate/suspend functionality
- Unisoc UMS9360-based devices and similar arm64 platforms
Discovery Timeline
- February 14, 2026 - CVE-2026-23128 published to NVD
- February 18, 2026 - Last updated in NVD database
Technical Details for CVE-2026-23128
Vulnerability Analysis
This vulnerability stems from an architectural incompatibility between the kernel's Control Flow Integrity (CFI) implementation and the hibernate resume code path on arm64 systems. When the system attempts to resume from hibernate, the swsusp_arch_resume() function is invoked to restore the system state. This function attempts to call swsusp_arch_suspend_exit(), which has been relocated to the .hibernate_exit.text section.
The kernel panic occurs at virtual address 0000000109170ffc during the CFI verification process. The crash dump reveals an Internal error (Oops) with ESR value 0x0000000096000007, indicating a Data Abort at the current exception level with a level 3 translation fault (FSC = 0x07). The fault occurs because the CFI implementation attempts to read a hash value from a memory location that is not properly mapped during the hibernate resume context.
The call trace shows the execution path leading to the crash:
- swsusp_arch_resume+0x2ac/0x344
- hibernation_restore+0x158/0x18c
- load_image_and_restore+0xb0/0xec
- software_resume+0xf4/0x19c
Root Cause
The root cause is a conflict between CFI protections and the special requirements of hibernate exit code. The swsusp_arch_suspend_exit() function is intentionally marked with SYM_CODE_*() macros rather than SYM_FUNC_*() macros, which means it does not include CFI metadata. This is by design because the function's entry point must be the first byte of the .hibernate_exit.text section.
However, when CFI is enabled globally, swsusp_arch_resume() still attempts to perform CFI verification when branching to swsusp_arch_suspend_exit(). Since no CFI hash exists for the target function, the verification accesses invalid memory, triggering the Data Abort.
Attack Vector
This is a local denial-of-service vulnerability that requires the ability to trigger hibernate/resume cycles on affected systems. While not directly exploitable for privilege escalation or code execution, an attacker with local access could potentially:
- Trigger repeated hibernate/resume cycles to cause system instability
- Cause data loss by interrupting hibernate resume operations
- Create denial-of-service conditions on embedded devices that rely on hibernate functionality
The vulnerability does not require user interaction beyond initiating the hibernate sequence and is triggered automatically during the resume process.
Detection Methods for CVE-2026-23128
Indicators of Compromise
- Kernel panic logs containing references to swsusp_arch_resume in the call trace
- Data Abort exceptions with ESR values indicating level 3 translation faults during hibernate resume
- System failures specifically occurring during the software resume initcall phase
- Kernel log entries showing "Unable to handle kernel paging request" with virtual addresses in the 0000000109170xxx range
Detection Strategies
- Monitor kernel logs for DABT exceptions occurring during hibernate resume operations
- Implement automated testing of hibernate/resume cycles on arm64 systems with CFI enabled
- Check for kernel panic patterns matching the specific error signature (ESR = 0x0000000096000007)
- Review system logs for failed software resume operations on affected kernel versions
Monitoring Recommendations
- Enable kernel crash dump collection to capture detailed diagnostic information from hibernate-related crashes
- Configure watchdog timers to detect and recover from hibernate resume failures
- Implement health checks that verify successful hibernate/resume cycles on critical systems
- Monitor system uptime metrics for unexpected reboots following hibernate operations
How to Mitigate CVE-2026-23128
Immediate Actions Required
- Apply the kernel patches that mark swsusp_arch_resume() with the __nocfi attribute
- Temporarily disable hibernate functionality on affected arm64 systems until patches are applied
- If hibernate is required, consider disabling CFI temporarily as a workaround (not recommended for production)
- Update to patched kernel versions that include the fix
Patch Information
The fix involves marking the swsusp_arch_resume() function with the __nocfi attribute to disable CFI checking for calls made from this specific function. Multiple kernel commits have been released to address this issue across various stable kernel branches:
- Kernel Commit 122b7cb80f7d
- Kernel Commit 6e32070d29d1
- Kernel Commit 8557bdd9af8d
- Kernel Commit 9773a886f267
- Kernel Commit e2f8216ca2d8
Organizations should apply the appropriate patch for their kernel version from the stable branches.
Workarounds
- Disable hibernate functionality using kernel command line parameters (noresume or nohibernate)
- Configure systems to use suspend-to-RAM instead of hibernate-to-disk where possible
- For development environments, CFI can be disabled at compile time, though this reduces overall security
- Implement alternative power management strategies that do not rely on hibernate functionality
# Configuration example
# Disable hibernate via kernel command line (add to bootloader configuration)
# GRUB example: edit /etc/default/grub
GRUB_CMDLINE_LINUX="noresume nohibernate"
# Apply changes
sudo update-grub
# Alternative: Disable hibernate at runtime
echo disabled > /sys/power/disk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
