CVE-2026-23433 Overview
CVE-2026-23433 is a null pointer dereference vulnerability in the Linux kernel's ARM Memory Partitioning and Monitoring (MPAM) subsystem. The flaw occurs in the arm_mpam module when restoring bandwidth counters after a Memory System Component (MSC) supporting memory bandwidth monitoring is brought offline and then back online.
When the mpam_restore_mbwu_state() function is executed, it calls __ris_msmon_read() via inter-processor interrupt (IPI) to restore the configuration of bandwidth counters. However, the function fails to initialize the mbwu_arg.val variable before passing it to __ris_msmon_read(). Since the value read is not needed, the code omits initialization, but __ris_msmon_read() still attempts to add to this uninitialized pointer, resulting in a null pointer dereference and subsequent kernel panic.
Critical Impact
This vulnerability can cause kernel oops and system crashes when Memory System Components are cycled offline and online, potentially leading to denial of service conditions on ARM systems utilizing MPAM features.
Affected Products
- Linux kernel with ARM MPAM support enabled
- ARM-based systems using Memory Partitioning and Monitoring
- Systems with MSCs supporting memory bandwidth monitoring
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23433 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23433
Vulnerability Analysis
This null pointer dereference vulnerability resides in the ARM MPAM subsystem's bandwidth counter restoration logic. The ARM Memory Partitioning and Monitoring (MPAM) architecture provides hardware-level resource monitoring and control for ARM processors. When a Memory System Component (MSC) is brought offline and subsequently restored to online status, the kernel must restore the state of various monitoring counters, including memory bandwidth usage (MBWU) counters.
The vulnerability is triggered during this restoration process. The mpam_restore_mbwu_state() function initiates an IPI call to __ris_msmon_read() to restore counter configurations. The problematic code path doesn't care about the actual value being read—it only needs to trigger the restoration side effects. However, the mbwu_arg.val parameter, which should hold a pointer to receive the read value, is left uninitialized (null).
When __ris_msmon_read() executes its addition operation on this null pointer, it triggers a null pointer dereference, causing an immediate kernel oops. The call trace reveals the sequence: __ris_msmon_read() → mpam_restore_mbwu_state() → smp_call_on_cpu_callback() → process_one_work() → worker_thread().
Root Cause
The root cause is a failure to provide a valid memory location for the val parameter in the mbwu_arg structure before calling __ris_msmon_read(). The function was designed with the assumption that callers would always provide a valid pointer for storing the read result, but mpam_restore_mbwu_state() doesn't require this value and neglected to initialize it. This represents an input validation oversight where the callee function doesn't verify pointer validity before dereferencing.
Attack Vector
This vulnerability is triggered through local system operations involving MSC power state transitions. An attacker with sufficient privileges to bring system components offline and online could potentially trigger this condition to cause a denial of service. The attack vector is local, requiring either physical access or privileged local access to manipulate hardware power states.
The vulnerability could be triggered by:
- Administrative actions cycling MSC components offline/online
- Power management operations during suspend/resume cycles
- Hot-plug events involving MPAM-enabled memory controllers
- Automated system management scripts that cycle hardware components
Detection Methods for CVE-2026-23433
Indicators of Compromise
- Kernel oops messages in system logs with __ris_msmon_read in the call trace
- System crashes or hangs during MSC power state transitions
- Unexpected reboots on ARM systems with MPAM enabled
- Kernel panic entries in /var/log/kern.log or dmesg output referencing mpam_restore_mbwu_state
Detection Strategies
- Monitor kernel logs for oops messages containing arm_mpam or mpam_restore_mbwu_state function names
- Implement automated log analysis for null pointer dereference exceptions in the MPAM subsystem
- Deploy kernel crash dump analysis to identify patterns matching this vulnerability
- Use SentinelOne's kernel-level monitoring to detect abnormal MPAM subsystem behavior
Monitoring Recommendations
- Enable kernel crash dumps (kdump) to capture diagnostic information during failures
- Configure syslog monitoring to alert on kernel oops or panic conditions
- Monitor system availability metrics for unexpected downtime patterns
- Track MSC power state transition events on affected ARM systems
How to Mitigate CVE-2026-23433
Immediate Actions Required
- Update the Linux kernel to a patched version containing the fix commits
- Avoid cycling MSC components offline/online on unpatched systems when possible
- Monitor systems for kernel crashes if immediate patching is not feasible
- Consider disabling MPAM features temporarily on critical systems until patches can be applied
Patch Information
The vulnerability has been addressed in the Linux kernel through commits that provide a local variable for val to prevent __ris_msmon_read() from dereferencing a null pointer. The fix ensures that even when the caller doesn't need the read value, a valid memory location is provided.
Patches are available through the following kernel git commits:
Workarounds
- Avoid triggering MSC offline/online transitions on affected systems until patches are applied
- Disable memory bandwidth monitoring features if not required for operations
- Implement system monitoring to detect and recover from kernel crashes
- Consider using a watchdog timer to automatically restart affected systems
# Check if MPAM is enabled in current kernel configuration
zcat /proc/config.gz | grep CONFIG_ARM_MPAM
# Monitor for related kernel messages
dmesg | grep -i mpam
# Check kernel version for patch status
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

