CVE-2026-23433 Overview
CVE-2026-23433 is a null pointer dereference vulnerability in the Linux kernel's arm_mpam driver. The flaw resides in the mpam_restore_mbwu_state() function, which restores Memory System Component (MSC) bandwidth counter configuration after an MSC supporting memory bandwidth monitoring is brought offline and then online. The function calls __ris_msmon_read() via inter-processor interrupt (IPI) without initializing the mbwu_arg.val pointer. When __ris_msmon_read() attempts to add to this uninitialized value, it dereferences a null pointer and triggers a kernel oops. The issue is tracked as [CWE-476: NULL Pointer Dereference].
Critical Impact
A local low-privileged user triggering MSC offline/online transitions can cause a kernel oops, resulting in denial of service on affected Arm-based Linux systems.
Affected Products
- Linux Kernel 6.19 (stable release)
- Linux Kernel 7.0-rc1 through 7.0-rc7 (release candidates)
- Systems with Arm Memory Partitioning and Monitoring (MPAM) hardware support
Discovery Timeline
- 2026-04-03 - CVE-2026-23433 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-23433
Vulnerability Analysis
The Arm Memory Partitioning and Monitoring (MPAM) extension enables partitioning of shared memory system resources such as cache and memory bandwidth. The Linux arm_mpam driver manages Memory System Components (MSCs) that implement these features. When an MSC supporting memory bandwidth monitoring is taken offline and later brought back online, the driver must restore the previous configuration of its memory bandwidth utilization (MBWU) counters.
The restore path invokes mpam_restore_mbwu_state(), which issues an IPI to execute __ris_msmon_read() on the appropriate CPU. The caller of the restore path does not consume the value read by __ris_msmon_read() and consequently never initializes the val pointer field within mbwu_arg. When __ris_msmon_read() performs an addition against the uninitialized pointer, the kernel dereferences a null address and generates an oops with the call trace including __ris_msmon_read+0x19c/0x64c, mpam_restore_mbwu_state+0xa0/0xe8, and smp_call_on_cpu_callback+0x1c/0x38.
Root Cause
The root cause is missing pointer initialization in the callback argument structure passed to __ris_msmon_read(). The caller treats the read operation as side-effect-only and does not care about the returned counter value. However, the callee unconditionally writes to the val pointer, assuming it references a valid storage location. The upstream fix introduces a local variable for val so __ris_msmon_read() can safely write to it during the restore operation.
Attack Vector
Exploitation requires local access with the ability to trigger MSC offline and online transitions, typically through CPU hotplug operations or MPAM-related sysfs interfaces. The vulnerability does not enable code execution or information disclosure. The impact is limited to availability, producing a kernel oops that can destabilize the affected system or render specific subsystems unusable. Only Arm platforms with MPAM hardware and the arm_mpam driver enabled are vulnerable.
No public proof-of-concept exploit code is available for this issue.
Detection Methods for CVE-2026-23433
Indicators of Compromise
- Kernel oops messages in dmesg or /var/log/kern.log containing the call trace __ris_msmon_read followed by mpam_restore_mbwu_state and smp_call_on_cpu_callback.
- Unexpected kernel panics or task hangs correlated with CPU hotplug events on Arm systems with MPAM enabled.
- Repeated warnings or BUG entries referencing null pointer dereferences in the arm_mpam driver module.
Detection Strategies
- Audit kernel versions across the Arm server fleet to identify hosts running Linux 6.19 or any 7.0-rc release with CONFIG_ARM64_MPAM enabled.
- Correlate CPU hotplug, suspend/resume, and offline/online transitions with subsequent kernel error log entries referencing mpam_restore_mbwu_state.
- Monitor for stability regressions in workloads that rely on memory bandwidth monitoring or resource control (resctrl) interfaces.
Monitoring Recommendations
- Forward kernel logs to a centralized log platform and alert on call traces containing arm_mpam symbols.
- Track CPU hotplug operations via systemd or kernel audit subsystem and correlate against kernel oops events.
- Maintain inventory of kernel build configurations, particularly the state of CONFIG_ARM64_MPAM, to scope exposure.
How to Mitigate CVE-2026-23433
Immediate Actions Required
- Apply the upstream kernel patches referenced in the Kernel Git commit ac3e12bc1957 and Kernel Git commit 4ad79c874e53.
- Inventory Arm-based hosts running Linux 6.19 or 7.0-rc kernels and prioritize them for patching.
- Restrict CPU hotplug and MPAM control interfaces to privileged administrators where the patch cannot be applied immediately.
Patch Information
The fix introduces a local variable for val in mpam_restore_mbwu_state(), providing a valid storage location that __ris_msmon_read() can safely write to during the IPI callback. The change is available in the mainline Linux kernel tree via commits ac3e12bc195786d3d44d730b5b2259fd36191848 and 4ad79c874e53ebb7fe3b8ae7ac6c858a2121f415. Distributions shipping Linux 6.19 or 7.0-rc kernels should backport the fix or upgrade to a corrected stable release.
Workarounds
- Disable the arm_mpam driver by building the kernel without CONFIG_ARM64_MPAM if memory bandwidth monitoring is not required.
- Avoid offline/online transitions of MSCs that support memory bandwidth monitoring until the patch is applied.
- Limit unprivileged access to the resctrl filesystem and CPU hotplug sysfs entries to reduce the attack surface.
# Verify the current kernel version and MPAM configuration
uname -r
grep CONFIG_ARM64_MPAM /boot/config-$(uname -r)
# Inspect kernel logs for the vulnerable call trace
dmesg | grep -E 'mpam_restore_mbwu_state|__ris_msmon_read'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
