Bug 2439845 (CVE-2026-23123)

Summary: CVE-2026-23123 kernel: Linux kernel: Local denial of service in interconnect debugfs due to uninitialized pointers
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's interconnect debugfs test client. This vulnerability arises from the use of uninitialized pointers when handling debugfs entries. A local user with sufficient privileges could exploit this by accessing these debugfs entries. Successful exploitation could lead to a kernel crash, causing a local denial of service (DoS). There is also a theoretical risk of memory corruption.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-14 16:01:25 UTC 
In the Linux kernel, the following vulnerability has been resolved:

interconnect: debugfs: initialize src_node and dst_node to empty strings

The debugfs_create_str() API assumes that the string pointer is either NULL
or points to valid kmalloc() memory. Leaving the pointer uninitialized can
cause problems.

Initialize src_node and dst_node to empty strings before creating the
debugfs entries to guarantee that reads and writes are safe.
Comment 1 Alexander B 2026-02-16 08:55:13 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026021408-CVE-2026-23123-9ee2@gregkh/T