CVE-2026-23266

MEDIUM EPSS 1.8%
Published Mar 18, 20263mo ago · Modified May 29, 20261mo ago
5.5 CVSS 3.1
Medium
Find Similar
Published Mar 18, 2026 3mo ago
Last Modified May 29, 2026 1mo ago

Description

In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
1.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-369

Affected Products 12

VendorProductVersionRange
linuxlinux_kernel*≥2.6.12.1  –  <5.10.251
linuxlinux_kernel*≥5.11  –  <5.15.201
linuxlinux_kernel*≥5.16  –  <6.1.164
linuxlinux_kernel*≥6.2  –  <6.6.127
linuxlinux_kernel*≥6.7  –  <6.12.74
linuxlinux_kernel*≥6.13  –  <6.18.13
linuxlinux_kernel*≥6.19  –  <6.19.3
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any
linuxlinux_kernel2.6.12any

References 8

  • git.kernel.org https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f
    Patch

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f
    Patch