CVE-2026-23332 Overview
A null pointer dereference vulnerability has been identified in the Linux kernel's intel_pstate cpufreq driver. The vulnerability occurs when attempting to disable turbo mode on systems booted with restricted CPU configurations using kernel command line arguments such as nosmt or maxcpus. When a user writes to /sys/devices/system/cpu/intel_pstate/no_turbo, the system crashes due to improper handling of offline CPU data structures.
Critical Impact
Local denial of service condition allowing authenticated users to crash the kernel through sysfs interface manipulation on systems with restricted CPU topologies.
Affected Products
- Linux Kernel (intel_pstate cpufreq driver)
- Systems using Intel P-State CPU frequency scaling
- Systems booted with nosmt or maxcpus kernel parameters
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23332 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23332
Vulnerability Analysis
The vulnerability resides in the store_no_turbo() function within the Intel P-State cpufreq driver. When iterating over possible CPUs using for_each_possible_cpu(), the code fails to account for CPUs that are not online. For offline CPUs, the all_cpu_data[] array contains NULL pointers. The issue was introduced in commit 973207ae3d7c ("cpufreq: intel_pstate: Rearrange max frequency updates handling code"), which modified the code path to dereference all_cpu_data[] for all possible CPUs rather than only online CPUs.
The crash manifests as a page fault with supervisor read access in kernel mode, indicating an attempt to access a not-present page due to the NULL pointer dereference.
Root Cause
The root cause is a missing validation check for CPU online status before dereferencing the all_cpu_data[] array. The for_each_possible_cpu() iterator returns all CPUs that could theoretically exist on the system, including those that are currently offline or were never brought online due to boot-time restrictions like nosmt or maxcpus parameters. The code assumes all returned CPUs have valid data structures allocated, which is not the case for offline CPUs.
Attack Vector
The vulnerability requires local access to the system with sufficient privileges to write to the sysfs interface at /sys/devices/system/cpu/intel_pstate/no_turbo. The attack scenario involves:
- System is booted with CPU-limiting kernel parameters (nosmt or maxcpus)
- Attacker or privileged user executes: echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
- The kernel iterates over all possible CPUs including offline ones
- Accessing all_cpu_data[] for an offline CPU returns NULL
- Dereferencing the NULL pointer causes a kernel panic
The fix modifies intel_pstate_update_max_freq() to accept a CPU number parameter and validates that all_cpu_data[] contains a valid cpufreq policy before dereferencing.
Detection Methods for CVE-2026-23332
Indicators of Compromise
- Unexpected kernel panics or system crashes with RIP pointing to store_no_turbo function
- Oops messages in kernel logs containing "not-present page" errors with PGD 0 P4D 0
- System crash logs showing supervisor read access in kernel mode page faults
- Crash dumps with call traces involving intel_pstate driver functions
Detection Strategies
- Monitor system logs for kernel oops messages referencing store_no_turbo or intel_pstate functions
- Implement auditd rules to track write operations to /sys/devices/system/cpu/intel_pstate/no_turbo
- Deploy kernel crash dump analysis to identify null pointer dereference patterns in cpufreq subsystem
- Check if systems are booted with nosmt or maxcpus parameters which expose the vulnerability
Monitoring Recommendations
- Configure kdump/kexec for kernel crash collection to capture forensic data
- Set up automated alerting for kernel panic events on affected systems
- Monitor sysfs write operations to intel_pstate control files via audit subsystem
- Review system boot parameters to identify vulnerable configurations
How to Mitigate CVE-2026-23332
Immediate Actions Required
- Apply the kernel patches from the upstream Linux kernel commits
- Restrict access to /sys/devices/system/cpu/intel_pstate/no_turbo using file permissions
- Consider temporarily disabling write access to intel_pstate sysfs controls on affected systems
- Evaluate boot parameter requirements and consider removing nosmt or maxcpus if not strictly necessary
Patch Information
Patches have been released to the Linux kernel stable tree. The fix modifies the intel_pstate_update_max_freq() function to properly validate CPU data before dereferencing. The following commits address this vulnerability:
System administrators should update to the latest stable kernel version that includes these patches.
Workarounds
- Restrict write permissions on /sys/devices/system/cpu/intel_pstate/no_turbo to prevent unauthorized access
- If turbo disable functionality is not required, leave the default setting unchanged
- Consider using alternative CPU frequency governors that do not exhibit this vulnerability
- Remove nosmt or maxcpus boot parameters if the restricted CPU configuration is not essential
# Restrict access to the vulnerable sysfs file
chmod 400 /sys/devices/system/cpu/intel_pstate/no_turbo
# Alternatively, use a udev rule to set permissions persistently
echo 'KERNEL=="intel_pstate", ATTR{no_turbo}="", MODE="0400"' > /etc/udev/rules.d/99-intel-pstate.rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
