CVE-2026-23221 Overview
CVE-2026-23221 is a use-after-free vulnerability in the Linux kernel's Freescale Management Complex (fsl-mc) bus driver. The flaw resides in the driver_override_show() function, which reads the driver_override string without acquiring the device_lock. Concurrently, driver_override_store() invokes driver_set_override() to modify and free the same string while holding the lock. A local attacker can race these operations to trigger a use-after-free condition on the kernel heap. The defect is classified under [CWE-416] and affects multiple stable Linux kernel branches.
Critical Impact
Local users may corrupt kernel memory through a race condition, potentially leading to privilege escalation, information disclosure, or kernel panic on systems exposing the fsl-mc bus sysfs interface.
Affected Products
- Linux Kernel (multiple stable branches prior to the fixed commits)
- Systems using the Freescale Management Complex (fsl-mc) bus driver, common on NXP Layerscape SoCs
- Distributions shipping affected kernels until backported patches are applied
Discovery Timeline
- 2026-02-18 - CVE-2026-23221 published to the National Vulnerability Database
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-23221
Vulnerability Analysis
The vulnerability exists in the fsl-mc bus driver under drivers/bus/fsl-mc/. The sysfs attribute driver_override exposes a writable file that allows administrators to bind a device to a specific driver. The read path, implemented in driver_override_show(), accesses the driver_override string pointer without serialization. The write path, driver_override_store(), calls driver_set_override() which frees the previous string buffer and replaces the pointer while holding device_lock.
When a reader thread dereferences the pointer concurrently with a writer freeing it, the kernel accesses memory that has already been released back to the slab allocator. Depending on heap state, this leads to disclosure of reallocated kernel memory contents, corruption of adjacent objects, or a kernel oops. The fix wraps the read in device_lock()/device_unlock() to serialize access with the store path.
Root Cause
The root cause is missing lock acquisition on the read side of a shared mutable pointer. The store path correctly held device_lock while freeing and reassigning the string, but the show path lacked the symmetric locking. This asymmetric synchronization violates the invariant that the driver_override field must only be accessed under the device lock.
Attack Vector
Exploitation requires local access with permission to read and write the driver_override sysfs attribute, typically restricted to privileged users. An attacker with this access spawns two threads: one repeatedly reading /sys/bus/fsl-mc/devices/<dev>/driver_override and another writing new override strings in a tight loop. Hitting the race window triggers a use-after-free, which can be groomed using kernel heap-spray techniques to achieve memory corruption suitable for privilege escalation.
No public proof-of-concept exists for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The patch is described in the upstream commits, including Kernel Git Commit c424e72 and Kernel Git Commit 148891e.
Detection Methods for CVE-2026-23221
Indicators of Compromise
- Kernel oops or panic messages referencing driver_override_show or fsl-mc in dmesg or /var/log/kern.log.
- KASAN reports flagging use-after-free reads in drivers/bus/fsl-mc/fsl-mc-bus.c on instrumented kernels.
- Unexpected processes writing repeatedly to /sys/bus/fsl-mc/devices/*/driver_override.
Detection Strategies
- Enable KASAN on test or canary systems running affected kernels to catch the use-after-free at runtime.
- Audit kernel package versions across NXP Layerscape and other fsl-mc-capable hardware against the fixed commits.
- Monitor for abnormal write patterns to driver_override sysfs files via Linux audit (auditctl -w /sys/bus/fsl-mc -p wa).
Monitoring Recommendations
- Forward dmesg and kernel audit events to a centralized log platform and alert on fsl-mc faults.
- Track local privilege-related anomalies such as unexpected root shells originating from low-privilege users on Layerscape devices.
- Baseline normal fsl-mc administrative activity and alert on deviations.
How to Mitigate CVE-2026-23221
Immediate Actions Required
- Update the Linux kernel to a version containing the upstream fix for driver_override_show() locking in the fsl-mc bus driver.
- Restrict local shell access on affected NXP Layerscape and other fsl-mc-using systems to trusted administrators only.
- Verify that sysfs permissions on driver_override files remain restricted to root (mode 0644 with root ownership).
Patch Information
The fix adds device_lock()/device_unlock() around the read of driver_override in driver_override_show(). Upstream stable backports are available across multiple branches in the following commits: Kernel Git Commit 148891e, Kernel Git Commit 1d6bd61, Kernel Git Commit a2ae33e, Kernel Git Commit b198384, Kernel Git Commit c424e72, Kernel Git Commit c71dfb7, and Kernel Git Commit dd8ba8c. Apply the vendor kernel update from your distribution as soon as it becomes available.
Workarounds
- On systems that do not require the fsl-mc bus, blacklist the fsl_mc_bus module to remove the vulnerable sysfs interface.
- Tighten access control on /sys/bus/fsl-mc/ via Linux Security Modules such as SELinux or AppArmor to deny writes from non-administrative contexts.
- Limit interactive local logins on Layerscape appliances until the kernel patch is deployed.
# Verify running kernel version and check for fsl-mc exposure
uname -r
ls /sys/bus/fsl-mc/devices/ 2>/dev/null && echo "fsl-mc bus present"
# Optional: blacklist the module if not required
echo 'blacklist fsl_mc_bus' | sudo tee /etc/modprobe.d/blacklist-fsl-mc.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
