CVE-2026-23467 Overview
A NULL pointer dereference vulnerability has been identified in the Linux kernel's Intel i915 graphics driver, specifically within the Display Microcontroller (DMC) subsystem. The vulnerability occurs in the intel_dmc_update_dc6_allowed_count() function when the DMC hasn't been initialized, causing the dmc pointer to be NULL.
The issue manifests during the display core initialization sequence when intel_power_domains_init_hw() is called before intel_dmc_init(). This creates a race condition where the DC6 power state tracking function may be invoked before the necessary DMC structures are allocated and initialized.
Critical Impact
Systems with Intel integrated graphics may experience kernel oops (crashes) during boot if the BIOS leaves an unintentionally enabled DC6 hardware state without loading the required DMC firmware.
Affected Products
- Linux Kernel (drm/i915 driver)
- Systems with Intel integrated graphics supporting DC6 power states
- Platforms where BIOS may leave DC6 hardware state enabled at boot
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-23467 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-23467
Vulnerability Analysis
This vulnerability is a Null Pointer Dereference in the Linux kernel's Intel i915 graphics driver. The root cause lies in the initialization order of the display power domains and the DMC subsystem.
The problematic call path follows this sequence: intel_power_domains_init_hw() → {skl,bxt,icl}_display_core_init() → gen9_set_dc_state() → intel_dmc_update_dc6_allowed_count(). Since intel_power_domains_init_hw() is invoked before intel_dmc_init(), the DMC pointer remains NULL when intel_dmc_update_dc6_allowed_count() attempts to access it.
The vulnerability is triggered conditionally based on the current and target DC states. At probe time, while the target DC state is disabled, if DC6 is already enabled in hardware, the function call proceeds and results in a kernel oops.
Root Cause
The vulnerability stems from an incorrect reliance on the hardware DC6 state rather than the software DC6 state for DC6 allowed counter tracking. The DC6 allowed counter functionality requires capturing the DC5 counter when starting the counter, which only works correctly when tracking is based on the software DC6 state.
The BIOS may leave an unintentionally enabled DC6 hardware state without actually loading the required DMC firmware. This represents a poorly specified sequence between BIOS firmware loading and driver initialization, making it an unexpected but possible boot configuration.
Attack Vector
While this vulnerability is unlikely to be exploited for malicious purposes, it represents a denial of service risk that could be triggered by specific hardware configurations or BIOS behaviors:
- System boots with a BIOS that leaves DC6 hardware state enabled
- The i915 driver begins initialization
- intel_power_domains_init_hw() is called before intel_dmc_init()
- gen9_set_dc_state() checks the hardware DC6 state and finds it enabled
- intel_dmc_update_dc6_allowed_count() is called with a NULL dmc pointer
- Kernel oops occurs, potentially causing system instability or crash
The fix addresses this by using the software DC6 state instead of the hardware state for tracking, which also ensures the dmc pointer is properly initialized before being accessed.
Detection Methods for CVE-2026-23467
Indicators of Compromise
- Kernel oops messages referencing intel_dmc_update_dc6_allowed_count in system logs
- System crashes or hangs during boot on systems with Intel integrated graphics
- Kernel panic traces involving the drm/i915/dmc module during initialization
- Error messages related to DC6 power state transitions in dmesg output
Detection Strategies
- Monitor kernel logs for NULL pointer dereference errors in the i915 driver subsystem
- Review dmesg output for DMC initialization failures or DC state transition errors
- Implement kernel tracing on intel_dmc_update_dc6_allowed_count function calls
- Check for unexpected DC6 hardware state enablement before DMC initialization
Monitoring Recommendations
- Configure kernel log monitoring to alert on oops or panic events related to the i915 driver
- Implement automated boot testing on affected hardware configurations
- Monitor system stability metrics on systems with Intel integrated graphics
- Track kernel version deployments to ensure patched versions are deployed across the fleet
How to Mitigate CVE-2026-23467
Immediate Actions Required
- Update the Linux kernel to a version containing the fix (commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)
- Review BIOS settings related to display power management on affected systems
- Monitor system boot processes for any instability related to the i915 driver
- Consider disabling DC6 power states in kernel parameters as a temporary workaround
Patch Information
The fix has been committed to the stable kernel tree and changes the DC6 tracking logic to use the software DC6 state instead of the hardware state. This ensures the dmc pointer is properly initialized before being accessed and also corrects the DC6 allowed counter tracking functionality.
The patch is available through the following kernel git commits:
Workarounds
- Disable DC6 power state via kernel boot parameter: i915.enable_dc=0 or i915.enable_dc=1 (DC5 only)
- Update BIOS firmware to ensure proper DC state initialization before OS boot
- For systems experiencing boot crashes, boot with nomodeset temporarily until kernel is updated
- Consider using an older known-good kernel version while waiting for patched version deployment
# Temporary workaround: Disable DC6 power states via GRUB
# Edit /etc/default/grub and add to GRUB_CMDLINE_LINUX_DEFAULT:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i915.enable_dc=1"
# Update GRUB configuration
sudo update-grub
# Reboot to apply changes
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
