{"api_version":"1","generated_at":"2026-04-22T16:04:03+00:00","cve":"CVE-2026-23236","urls":{"html":"https://cve.report/CVE-2026-23236","api":"https://cve.report/api/cve/CVE-2026-23236.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23236","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23236"},"summary":{"title":"fbdev: smscufx: properly copy ioctl memory to kernelspace","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace.  Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-04 15:16:14","updated_at":"2026-04-02 15:16:24"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.3","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","data":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc","name":"https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248","name":"https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a","name":"https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69","name":"https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe","name":"https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02","name":"https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866","name":"https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141","name":"https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23236","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23236","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 061cfeb560aa3ddc174153dbe5be9d0b55eb7248 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 6167af934f956d3ae1e06d61f45cd0d1004bbe1a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 a0321e6e58facb39fe191caa0e52ed9aab6a48fe git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 0634e8d650993602fc5b389ff7ac525f6542e141 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 52917e265aa5f848212f60fc50fc504d8ef12866 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 1c008ad0f0d1c1523902b9cdb08e404129677bfc git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3c8a63e22a0802fd56380f6ab305b419f18eb6f5 120adae7b42faa641179270c067864544a50ab69 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 3.2","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 3.2 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.10.251 5.10.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15.201 5.15.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.164 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.127 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.74 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.13 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.3 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0-rc1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23236","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/video/fbdev/smscufx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"061cfeb560aa3ddc174153dbe5be9d0b55eb7248","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"6167af934f956d3ae1e06d61f45cd0d1004bbe1a","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"a0321e6e58facb39fe191caa0e52ed9aab6a48fe","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"0634e8d650993602fc5b389ff7ac525f6542e141","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"52917e265aa5f848212f60fc50fc504d8ef12866","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"1c008ad0f0d1c1523902b9cdb08e404129677bfc","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"},{"lessThan":"120adae7b42faa641179270c067864544a50ab69","status":"affected","version":"3c8a63e22a0802fd56380f6ab305b419f18eb6f5","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/video/fbdev/smscufx.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"3.2"},{"lessThan":"3.2","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"5.10.*","status":"unaffected","version":"5.10.251","versionType":"semver"},{"lessThanOrEqual":"5.15.*","status":"unaffected","version":"5.15.201","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.164","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.127","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.74","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.13","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.3","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0-rc1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.251","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"5.15.201","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.164","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.127","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.74","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.13","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.3","versionStartIncluding":"3.2","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0-rc1","versionStartIncluding":"3.2","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace.  Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel."}],"metrics":[{"cvssV3_1":{"baseScore":7.3,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","version":"3.1"}}],"providerMetadata":{"dateUpdated":"2026-04-02T14:43:52.032Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/061cfeb560aa3ddc174153dbe5be9d0b55eb7248"},{"url":"https://git.kernel.org/stable/c/6167af934f956d3ae1e06d61f45cd0d1004bbe1a"},{"url":"https://git.kernel.org/stable/c/a0321e6e58facb39fe191caa0e52ed9aab6a48fe"},{"url":"https://git.kernel.org/stable/c/0634e8d650993602fc5b389ff7ac525f6542e141"},{"url":"https://git.kernel.org/stable/c/52917e265aa5f848212f60fc50fc504d8ef12866"},{"url":"https://git.kernel.org/stable/c/1c008ad0f0d1c1523902b9cdb08e404129677bfc"},{"url":"https://git.kernel.org/stable/c/f1e91bd4efeae48b0f42caed7e8ce2e3a0d05b02"},{"url":"https://git.kernel.org/stable/c/120adae7b42faa641179270c067864544a50ab69"}],"title":"fbdev: smscufx: properly copy ioctl memory to kernelspace","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23236","datePublished":"2026-03-04T14:36:40.162Z","dateReserved":"2026-01-13T15:37:45.988Z","dateUpdated":"2026-04-02T14:43:52.032Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-04 15:16:14","lastModifiedDate":"2026-04-02 15:16:24","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2","versionEndExcluding":"5.10.251","matchCriteriaId":"C8DBBBFC-9692-4C23-A5E0-8F01CB6789D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11","versionEndExcluding":"5.15.201","matchCriteriaId":"600A89ED-86F2-48D8-BB7C-5EE7A8832FC5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.16","versionEndExcluding":"6.1.164","matchCriteriaId":"6892F74B-3F14-4500-9652-24A2ECB04144"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2","versionEndExcluding":"6.6.127","matchCriteriaId":"4A9F36A3-A685-48A0-84B4-6217052BD058"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.7","versionEndExcluding":"6.12.74","matchCriteriaId":"C2968F55-D03F-42BE-A694-F0A37BC8CBE3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.13","matchCriteriaId":"6BDEF9FB-423E-49F6-991B-9277CC3AF400"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.3","matchCriteriaId":"7853A337-FB2A-4E19-AB47-4E38343532AA"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23236","Ordinal":"1","Title":"fbdev: smscufx: properly copy ioctl memory to kernelspace","CVE":"CVE-2026-23236","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23236","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: smscufx: properly copy ioctl memory to kernelspace\n\nThe UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from\nuserspace to kernelspace, and instead directly references the memory,\nwhich can cause problems if invalid data is passed from userspace.  Fix\nthis all up by correctly copying the memory before accessing it within\nthe kernel.","Type":"Description","Title":"fbdev: smscufx: properly copy ioctl memory to kernelspace"}]}}}