CVE-2026-23327 Overview
CVE-2026-23327 is an Out-of-Bounds Read vulnerability in the Linux kernel's CXL (Compute Express Link) mailbox subsystem. The vulnerability exists in the cxl_payload_from_user_allowed() function, which casts and dereferences the input payload without first verifying its size. When a raw mailbox command is sent with an undersized payload, the kernel reads past the allocated buffer, potentially leading to information disclosure or system instability.
Critical Impact
Local attackers can trigger out-of-bounds memory reads in the Linux kernel's CXL mailbox handler by sending undersized payloads, potentially causing kernel memory disclosure or denial of service conditions.
Affected Products
- Linux kernel versions with CXL mailbox support
- Systems utilizing Compute Express Link (CXL) memory devices
- Linux kernel 6.19.0 and potentially earlier versions with CXL subsystem
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23327 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23327
Vulnerability Analysis
The vulnerability resides in the CXL mailbox command handling code within drivers/cxl/core/mbox.c. When processing user-supplied mailbox commands, the cxl_payload_from_user_allowed() function directly casts and dereferences the input payload without performing adequate size validation. This oversight allows attackers to trigger out-of-bounds memory reads when sending commands with payloads smaller than expected.
For example, the CXL_MBOX_OP_CLEAR_LOG command expects a 16-byte UUID payload. If an attacker supplies only 1 byte, the subsequent uuid_equal() comparison reads beyond the allocated buffer boundaries, accessing 8 bytes of unallocated memory. This triggers KASAN (Kernel Address Sanitizer) splats and could potentially expose sensitive kernel memory contents.
Root Cause
The root cause is improper input validation in cxl_payload_from_user_allowed(). The function assumes the caller provides a correctly-sized payload buffer matching the expected structure for each mailbox command type. Without explicit size validation before accessing payload contents, undersized user inputs cause the kernel to read memory outside the intended buffer boundaries.
The fix adds an in_size parameter to cxl_payload_from_user_allowed() and validates that the payload is large enough before casting and dereferencing its contents.
Attack Vector
The attack requires local access to the system with the ability to issue ioctl commands to CXL memory devices. An attacker would:
- Open a file descriptor to a CXL memory device (e.g., /dev/cxl/memX)
- Craft a raw mailbox command with an intentionally undersized payload
- Send the malformed command via the CXL_MEM_SEND_COMMAND ioctl
- The kernel processes the command without validating payload size
- Memory access beyond the allocated buffer occurs during uuid_equal() or similar comparisons
The vulnerability is triggered through the cxl_memdev_ioctl() → cxl_send_cmd() → cxl_validate_cmd_from_user() → cxl_mbox_cmd_ctor() → cxl_payload_from_user_allowed() code path. The call trace in the KASAN report shows memcmp+0x176/0x1d0 performing the out-of-bounds read when comparing the undersized UUID against expected values.
Detection Methods for CVE-2026-23327
Indicators of Compromise
- KASAN reports showing slab-out-of-bounds errors in memcmp called from cxl_payload_from_user_allowed
- Kernel log entries containing CXL mailbox-related crashes or memory access violations
- Unusual ioctl activity targeting /dev/cxl/mem* devices
- Stack traces involving cxl_send_cmd, cxl_memdev_ioctl, or uuid_equal
Detection Strategies
- Enable KASAN in kernel build configuration to detect out-of-bounds memory accesses
- Monitor kernel logs for CXL subsystem errors and memory corruption warnings
- Implement auditd rules to track ioctl syscalls targeting CXL device files
- Deploy SentinelOne Singularity platform with kernel-level monitoring for anomalous memory access patterns
Monitoring Recommendations
- Configure syslog forwarding to capture kernel panic and KASAN reports in real-time
- Monitor for processes with elevated CXL device access permissions
- Set up alerting for repeated CXL mailbox command failures from non-privileged users
- Use eBPF-based tracing to monitor CXL ioctl invocations and payload sizes
How to Mitigate CVE-2026-23327
Immediate Actions Required
- Update the Linux kernel to a patched version containing the input validation fix
- Restrict access to CXL memory device files (/dev/cxl/mem*) to trusted administrators only
- Enable KASAN in development/testing environments to detect exploitation attempts
- Review system access controls for any processes interacting with CXL hardware
Patch Information
The Linux kernel developers have released patches addressing this vulnerability. The fix adds an in_size parameter to cxl_payload_from_user_allowed() to validate that the payload buffer is large enough before accessing its contents.
Patch commits are available in the kernel git repository:
Workarounds
- Restrict CXL device file permissions using chmod 600 /dev/cxl/mem* to limit access to root only
- Use SELinux or AppArmor policies to confine applications that require CXL device access
- Disable CXL mailbox raw command support if not required for production workloads
- Implement network segmentation to isolate systems with CXL hardware from untrusted users
# Restrict CXL device permissions
chmod 600 /dev/cxl/mem*
chown root:root /dev/cxl/mem*
# Create udev rule to persist restrictions
echo 'KERNEL=="cxl/mem*", MODE="0600", OWNER="root", GROUP="root"' > /etc/udev/rules.d/99-cxl-secure.rules
udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
