Bug 2436829 (CVE-2026-23062) - CVE-2026-23062 kernel: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro
Summary: CVE-2026-23062 kernel: platform/x86: hp-bioscfg: Fix kernel panic in GET_INST...
Keywords:
Status: NEW
Alias: CVE-2026-23062
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-04 17:05 UTC by OSIDB Bzimport
Modified: 2026-02-04 19:27 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-04 17:05:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro

The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs
attributes:

1. Off-by-one error: The loop condition used '<=' instead of '<',
   causing access beyond array bounds. Since array indices are 0-based
   and go from 0 to instances_count-1, the loop should use '<'.

2. Missing NULL check: The code dereferenced attr_name_kobj->name
   without checking if attr_name_kobj was NULL, causing a null pointer
   dereference in min_length_show() and other attribute show functions.

The panic occurred when fwupd tried to read BIOS configuration attributes:

  Oops: general protection fault [#1] SMP KASAN NOPTI
  KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
  RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg]

Add a NULL check for attr_name_kobj before dereferencing and corrects
the loop boundary to match the pattern used elsewhere in the driver.
Comment 1 Jon Moroney 2026-02-04 19:21:55 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026020415-CVE-2026-23062-991d@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.