CVE-2026-23369 Overview
CVE-2026-23369 is a race condition vulnerability in the Linux kernel's i2c-i801 driver that can result in a NULL pointer dereference, causing a kernel panic during system boot. The vulnerability occurs when multiple udev threads concurrently access the i801_acpi_io_handler function while collecting i801 device information, leading to a use-after-unregister condition.
Critical Impact
This vulnerability can cause system crashes during boot when multiple udev threads race to collect I2C device information, resulting in kernel NULL pointer dereference and system unavailability.
Affected Products
- Linux Kernel with i2c-i801 driver enabled
- Systems using Intel I801 SMBus controllers
- Linux distributions running kernel version 5.14.0 and related versions
Discovery Timeline
- 2026-03-25 - CVE CVE-2026-23369 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-23369
Vulnerability Analysis
This vulnerability exists in the i2c-i801 kernel driver's ACPI I/O handler implementation. The race condition manifests when the Linux kernel boots and multiple systemd-udevd threads simultaneously attempt to enumerate I2C devices on the I801 SMBus controller.
The problematic scenario unfolds as follows: the first udev thread enters i801_acpi_io_handler and determines that the ACPI region is reserved, triggering deregistration of the area to prevent further access. However, a second udev thread may enter the same handler after the region has been deregistered but before proper synchronization can prevent access. When i2c_lock_bus is called, it attempts to access lock_ops from the now-unregistered area, which contains a NULL pointer.
The kernel backtrace shows the crash occurring at i801_acpi_io_handler+0x2d/0xb0 in the i2c_i801 module, with the RAX register containing 0x0000000000000000, confirming the NULL pointer dereference. The call trace reveals the issue propagates through the ACPI subsystem during power supply property enumeration via the acpi_ac_get_state path.
Root Cause
The root cause stems from a previous commit (f707d6b9e7c18f669adfdb443906d46cfbaaa0c1) that replaced the acpi_lock with I2C bus lock. This change inadvertently introduced a race condition where the locking mechanism depends on a data structure that can be deregistered asynchronously. The original acpi_lock provided proper synchronization for ACPI region access, but the replacement I2C bus lock relies on lock_ops stored in a region that becomes invalid during concurrent deregistration.
Attack Vector
The vulnerability is triggered locally through normal system operation during boot. It requires no attacker interaction—the race condition occurs naturally when:
- Multiple udev threads spawn during device enumeration
- These threads concurrently query the i801 I2C device
- ACPI address space dispatch calls i801_acpi_io_handler
- One thread deregisters the ACPI region while another is accessing it
The attack vector is local, requiring access to a system with the vulnerable i2c-i801 driver during boot or device hotplug scenarios.
Detection Methods for CVE-2026-23369
Indicators of Compromise
- Kernel panic messages during boot referencing i801_acpi_io_handler in the call trace
- BUG reports showing "kernel NULL pointer dereference, address: 0000000000000000"
- System crash logs indicating #PF: supervisor read access in kernel mode with error_code(0x0000)
- Oops messages with PREEMPT SMP PTI and RAX register containing NULL
Detection Strategies
- Monitor kernel logs (dmesg) for NULL pointer dereference errors mentioning i2c_i801 module
- Configure kdump or crash dump collection to capture kernel panics for post-mortem analysis
- Implement boot monitoring to detect systems failing to complete initialization
- Check for repeated unexpected reboots during system startup
Monitoring Recommendations
- Deploy centralized logging to collect kernel panic events across affected systems
- Set up alerting for kernel oops messages containing i801_acpi_io_handler pattern
- Monitor system availability during boot cycles to detect intermittent failures
- Review systemd-udevd journal entries for I2C device enumeration errors
How to Mitigate CVE-2026-23369
Immediate Actions Required
- Update to a patched Linux kernel version that includes the revert commit
- Apply vendor-specific kernel updates from your Linux distribution
- Monitor systems for boot failures and kernel panics related to I2C subsystem
- Consider temporarily blacklisting the i2c_i801 module if I2C functionality is not critical
Patch Information
The vulnerability has been addressed by reverting the problematic commit and restoring the original acpi_lock synchronization mechanism. Multiple patch commits have been released across different kernel branches:
- Kernel Git Commit Update 1
- Kernel Git Commit Update 2
- Kernel Git Commit Update 3
- Kernel Git Commit Update 4
Workarounds
- Blacklist the i2c_i801 module by adding blacklist i2c_i801 to /etc/modprobe.d/blacklist.conf if SMBus functionality is not required
- Reduce udev parallelism during boot to minimize the chance of triggering the race condition
- Use udevadm settings to serialize device enumeration if immediate patching is not possible
# Temporary workaround: Blacklist i2c_i801 module
echo "blacklist i2c_i801" >> /etc/modprobe.d/blacklist-i2c-i801.conf
update-initramfs -u
# Verify module is not loaded
lsmod | grep i2c_i801
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
