CVE-2026-23183 Overview
A NULL pointer dereference vulnerability has been discovered in the Linux kernel's cgroup/dmem subsystem. The issue occurs when setting the dmem.max control file without providing a valid limitation value. This results in an invalid memory access during the strcmp() function call within the dmemcg_limit_write() handler, causing a kernel panic and system crash.
Critical Impact
Local users with access to cgroup control files can trigger a kernel NULL pointer dereference, causing a denial of service condition through system crash.
Affected Products
- Linux kernel versions with cgroup/dmem subsystem (kernel 6.19.0-rc6 and related versions confirmed affected)
- Systems utilizing device memory cgroup controllers
- QEMU virtualized environments running affected kernel versions
Discovery Timeline
- 2026-02-14 - CVE CVE-2026-23183 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-23183
Vulnerability Analysis
This vulnerability represents a classic NULL pointer dereference condition in the Linux kernel's cgroup device memory management subsystem. The flaw exists in the dmemcg_limit_write() function, which handles write operations to the dmem.max control file. When a user writes a value in the format test/region0 without specifying a proper limitation, the function fails to properly validate the parsed options before attempting to use them in a string comparison operation.
The kernel stack trace reveals that the crash occurs at RIP: 0010:strcmp+0x10/0x30, where the function receives a NULL pointer in the RDI register (0x0000000000000000) as the first argument. This indicates that the region_name parsing did not properly handle the edge case where options may be absent or invalid after parsing.
The vulnerability can be exploited by any local user with write access to the cgroup control files, making it a significant concern for multi-tenant environments and containerized deployments where cgroup isolation is relied upon for resource management.
Root Cause
The root cause is insufficient input validation in the dmemcg_limit_write() function. After parsing the region_name from user input, the code proceeds to use the parsed options in a strcmp() call without first verifying that the options pointer is non-NULL. When a user provides input like echo test/region0 > dmem.max without a proper limitation value, the parsing logic results in a NULL options pointer that is subsequently dereferenced.
The fix, as referenced in the kernel git commits, adds a check to verify whether the options pointer is valid after parsing the region_name before proceeding with string comparison operations.
Attack Vector
The attack vector is local and requires the attacker to have write access to the cgroup dmem.max control file. The exploitation is straightforward:
- Attacker identifies a system with cgroup/dmem support enabled
- Attacker gains access to write to the dmem.max cgroup control file
- Attacker writes a malformed value without a proper limitation (e.g., echo test/region0 > dmem.max)
- The kernel attempts to parse and process the input, triggering the NULL pointer dereference
- System crashes with a kernel panic, resulting in denial of service
The vulnerability triggers through the following call chain: ksys_write() → vfs_write() → kernfs_fop_write_iter() → dmemcg_limit_write.constprop.0() → strcmp() where the NULL dereference occurs.
Detection Methods for CVE-2026-23183
Indicators of Compromise
- Kernel panic messages containing "BUG: kernel NULL pointer dereference, address: 0000000000000000"
- Stack traces showing dmemcg_limit_write in the call chain
- System crashes associated with cgroup operations or writes to dmem.max files
- Suspicious write operations to cgroup dmem control files from unexpected users or processes
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors originating from dmemcg_limit_write or strcmp functions
- Implement auditd rules to track write operations to cgroup dmem.max files
- Deploy kernel module or eBPF-based monitoring for cgroup control file access patterns
- Use SentinelOne's Singularity platform to detect anomalous cgroup operations that may indicate exploitation attempts
Monitoring Recommendations
- Enable kernel crash dump collection to capture forensic data from exploitation attempts
- Configure logging for cgroup namespace events and control file modifications
- Monitor for repeated system crashes or unexpected reboots that may indicate active exploitation
- Implement SentinelOne's behavioral AI to detect unusual patterns in container or cgroup management activities
How to Mitigate CVE-2026-23183
Immediate Actions Required
- Apply the kernel patches referenced in the security commits as soon as possible
- Restrict access to cgroup control files using appropriate file permissions and SELinux/AppArmor policies
- Limit which users and processes can write to dmem.max cgroup files
- Consider temporarily disabling the cgroup/dmem subsystem if not required for operations
Patch Information
Security patches have been committed to the Linux kernel stable branches. The fixes are available in the following commits:
The patch adds validation to check whether the options pointer is valid after parsing the region_name, preventing the NULL pointer from being passed to strcmp().
Workarounds
- Restrict access to cgroup control files by adjusting file permissions (e.g., chmod 600 on dmem.max files)
- Use mandatory access control frameworks (SELinux, AppArmor) to limit write access to cgroup files
- Disable the cgroup/dmem controller if not required using kernel boot parameters
- Implement namespace isolation to prevent untrusted users from accessing cgroup control files
# Restrict access to cgroup dmem.max files
find /sys/fs/cgroup -name "dmem.max" -exec chmod 600 {} \;
# Example AppArmor rule to restrict dmem.max access
# Add to appropriate profile:
# deny /sys/fs/cgroup/**/dmem.max w,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
