Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23433

CVE-2026-23433: Linux Kernel Use-After-Free Vulnerability

CVE-2026-23433 is a use-after-free vulnerability in the Linux kernel's arm_mpam component that causes null pointer dereferences during bandwidth counter restoration. This article covers technical details, affected systems, and mitigations.

Published: April 10, 2026

CVE-2026-23433 Overview

CVE-2026-23433 is a null pointer dereference vulnerability in the Linux kernel's ARM Memory Partitioning and Monitoring (MPAM) subsystem. The flaw occurs in the arm_mpam module when restoring bandwidth counters after a Memory System Component (MSC) supporting memory bandwidth monitoring is brought offline and then back online.

When the mpam_restore_mbwu_state() function is executed, it calls __ris_msmon_read() via inter-processor interrupt (IPI) to restore the configuration of bandwidth counters. However, the function fails to initialize the mbwu_arg.val variable before passing it to __ris_msmon_read(). Since the value read is not needed, the code omits initialization, but __ris_msmon_read() still attempts to add to this uninitialized pointer, resulting in a null pointer dereference and subsequent kernel panic.

Critical Impact

This vulnerability can cause kernel oops and system crashes when Memory System Components are cycled offline and online, potentially leading to denial of service conditions on ARM systems utilizing MPAM features.

Affected Products

  • Linux kernel with ARM MPAM support enabled
  • ARM-based systems using Memory Partitioning and Monitoring
  • Systems with MSCs supporting memory bandwidth monitoring

Discovery Timeline

  • 2026-04-03 - CVE CVE-2026-23433 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-23433

Vulnerability Analysis

This null pointer dereference vulnerability resides in the ARM MPAM subsystem's bandwidth counter restoration logic. The ARM Memory Partitioning and Monitoring (MPAM) architecture provides hardware-level resource monitoring and control for ARM processors. When a Memory System Component (MSC) is brought offline and subsequently restored to online status, the kernel must restore the state of various monitoring counters, including memory bandwidth usage (MBWU) counters.

The vulnerability is triggered during this restoration process. The mpam_restore_mbwu_state() function initiates an IPI call to __ris_msmon_read() to restore counter configurations. The problematic code path doesn't care about the actual value being read—it only needs to trigger the restoration side effects. However, the mbwu_arg.val parameter, which should hold a pointer to receive the read value, is left uninitialized (null).

When __ris_msmon_read() executes its addition operation on this null pointer, it triggers a null pointer dereference, causing an immediate kernel oops. The call trace reveals the sequence: __ris_msmon_read() → mpam_restore_mbwu_state() → smp_call_on_cpu_callback() → process_one_work() → worker_thread().

Root Cause

The root cause is a failure to provide a valid memory location for the val parameter in the mbwu_arg structure before calling __ris_msmon_read(). The function was designed with the assumption that callers would always provide a valid pointer for storing the read result, but mpam_restore_mbwu_state() doesn't require this value and neglected to initialize it. This represents an input validation oversight where the callee function doesn't verify pointer validity before dereferencing.

Attack Vector

This vulnerability is triggered through local system operations involving MSC power state transitions. An attacker with sufficient privileges to bring system components offline and online could potentially trigger this condition to cause a denial of service. The attack vector is local, requiring either physical access or privileged local access to manipulate hardware power states.

The vulnerability could be triggered by:

  • Administrative actions cycling MSC components offline/online
  • Power management operations during suspend/resume cycles
  • Hot-plug events involving MPAM-enabled memory controllers
  • Automated system management scripts that cycle hardware components

Detection Methods for CVE-2026-23433

Indicators of Compromise

  • Kernel oops messages in system logs with __ris_msmon_read in the call trace
  • System crashes or hangs during MSC power state transitions
  • Unexpected reboots on ARM systems with MPAM enabled
  • Kernel panic entries in /var/log/kern.log or dmesg output referencing mpam_restore_mbwu_state

Detection Strategies

  • Monitor kernel logs for oops messages containing arm_mpam or mpam_restore_mbwu_state function names
  • Implement automated log analysis for null pointer dereference exceptions in the MPAM subsystem
  • Deploy kernel crash dump analysis to identify patterns matching this vulnerability
  • Use SentinelOne's kernel-level monitoring to detect abnormal MPAM subsystem behavior

Monitoring Recommendations

  • Enable kernel crash dumps (kdump) to capture diagnostic information during failures
  • Configure syslog monitoring to alert on kernel oops or panic conditions
  • Monitor system availability metrics for unexpected downtime patterns
  • Track MSC power state transition events on affected ARM systems

How to Mitigate CVE-2026-23433

Immediate Actions Required

  • Update the Linux kernel to a patched version containing the fix commits
  • Avoid cycling MSC components offline/online on unpatched systems when possible
  • Monitor systems for kernel crashes if immediate patching is not feasible
  • Consider disabling MPAM features temporarily on critical systems until patches can be applied

Patch Information

The vulnerability has been addressed in the Linux kernel through commits that provide a local variable for val to prevent __ris_msmon_read() from dereferencing a null pointer. The fix ensures that even when the caller doesn't need the read value, a valid memory location is provided.

Patches are available through the following kernel git commits:

  • Kernel Git Commit 4ad79c87
  • Kernel Git Commit ac3e12bc

Workarounds

  • Avoid triggering MSC offline/online transitions on affected systems until patches are applied
  • Disable memory bandwidth monitoring features if not required for operations
  • Implement system monitoring to detect and recover from kernel crashes
  • Consider using a watchdog timer to automatically restart affected systems
bash
# Check if MPAM is enabled in current kernel configuration
zcat /proc/config.gz | grep CONFIG_ARM_MPAM

# Monitor for related kernel messages
dmesg | grep -i mpam

# Check kernel version for patch status
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeUse After Free
  • Vendor/TechLinux Kernel
  • SeverityNONE
  • CVSS ScoreN/A
  • EPSS Probability0.02%
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Kernel Git Commit Update
  • Kernel Git Commit Update
  • Related CVEs
  • CVE-2026-31475: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31469: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31457: Linux Kernel Use-After-Free Vulnerability
  • CVE-2026-31444: Linux Kernel Use-After-Free Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English