{"api_version":"1","generated_at":"2026-04-25T11:41:50+00:00","cve":"CVE-2026-23327","urls":{"html":"https://cve.report/CVE-2026-23327","api":"https://cve.report/api/cve/CVE-2026-23327.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-23327","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-23327"},"summary":{"title":"cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n </TASK>\n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough.","state":"PUBLISHED","assigner":"Linux","published_at":"2026-03-25 11:16:29","updated_at":"2026-04-23 21:11:13"},"problem_types":["CWE-125"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1","name":"https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2","name":"https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-23327","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23327","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6179045ccc0c6229dc449afc1701dc7fbd40571f 7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6179045ccc0c6229dc449afc1701dc7fbd40571f 60b5d1f68338aff2c5af0113f04aefa7169c50c2 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.19","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.19 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.7 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"5.19","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2026","cve_id":"23327","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"7.0","cpe7":"rc7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"23327","cve":"CVE-2026-23327","epss":"0.000150000","percentile":"0.028630000","score_date":"2026-04-24","updated_at":"2026-04-25 00:14:35"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/cxl/core/mbox.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1","status":"affected","version":"6179045ccc0c6229dc449afc1701dc7fbd40571f","versionType":"git"},{"lessThan":"60b5d1f68338aff2c5af0113f04aefa7169c50c2","status":"affected","version":"6179045ccc0c6229dc449afc1701dc7fbd40571f","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/cxl/core/mbox.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.19"},{"lessThan":"5.19","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.7","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.7","versionStartIncluding":"5.19","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"5.19","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n </TASK>\n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough."}],"providerMetadata":{"dateUpdated":"2026-04-13T06:05:05.125Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/7c8a7b7f063b7e7ae9bba4cbaa14a5d2fe3a55e1"},{"url":"https://git.kernel.org/stable/c/60b5d1f68338aff2c5af0113f04aefa7169c50c2"}],"title":"cxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-23327","datePublished":"2026-03-25T10:27:19.815Z","dateReserved":"2026-01-13T15:37:45.996Z","dateUpdated":"2026-04-13T06:05:05.125Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-03-25 11:16:29","lastModifiedDate":"2026-04-23 21:11:13","problem_types":["CWE-125"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19.1","versionEndExcluding":"6.19.7","matchCriteriaId":"74C0D01A-385D-4859-8FCC-93ACC7B4B847"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:5.19:-:*:*:*:*:*:*","matchCriteriaId":"9D759CCF-9E1B-41B2-81AA-CB580C5F3EEC"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","matchCriteriaId":"F253B622-8837-4245-BCE5-A7BF8FC76A16"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","matchCriteriaId":"4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","matchCriteriaId":"F666C8D8-6538-46D4-B318-87610DE64C34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","matchCriteriaId":"02259FDA-961B-47BC-AE7F-93D7EC6E90C2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","matchCriteriaId":"58A9FEFF-C040-420D-8F0A-BFDAAA1DF258"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","matchCriteriaId":"1D2315C0-D46F-4F85-9754-F9E5E11374A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*","matchCriteriaId":"512EE3A8-A590-4501-9A94-5D4B268D6138"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"23327","Ordinal":"1","Title":"cxl/mbox: validate payload size before accessing contents in cxl","CVE":"CVE-2026-23327","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"23327","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing contents in cxl_payload_from_user_allowed()\n\ncxl_payload_from_user_allowed() casts and dereferences the input\npayload without first verifying its size. When a raw mailbox command\nis sent with an undersized payload (ie: 1 byte for CXL_MBOX_OP_CLEAR_LOG,\nwhich expects a 16-byte UUID), uuid_equal() reads past the allocated buffer,\ntriggering a KASAN splat:\n\nBUG: KASAN: slab-out-of-bounds in memcmp+0x176/0x1d0 lib/string.c:683\nRead of size 8 at addr ffff88810130f5c0 by task syz.1.62/2258\n\nCPU: 2 UID: 0 PID: 2258 Comm: syz.1.62 Not tainted 6.19.0-dirty #3 PREEMPT(voluntary)\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014\nCall Trace:\n <TASK>\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xab/0xe0 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:378 [inline]\n print_report+0xce/0x650 mm/kasan/report.c:482\n kasan_report+0xce/0x100 mm/kasan/report.c:595\n memcmp+0x176/0x1d0 lib/string.c:683\n uuid_equal include/linux/uuid.h:73 [inline]\n cxl_payload_from_user_allowed drivers/cxl/core/mbox.c:345 [inline]\n cxl_mbox_cmd_ctor drivers/cxl/core/mbox.c:368 [inline]\n cxl_validate_cmd_from_user drivers/cxl/core/mbox.c:522 [inline]\n cxl_send_cmd+0x9c0/0xb50 drivers/cxl/core/mbox.c:643\n __cxl_memdev_ioctl drivers/cxl/core/memdev.c:698 [inline]\n cxl_memdev_ioctl+0x14f/0x190 drivers/cxl/core/memdev.c:713\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:597 [inline]\n __se_sys_ioctl fs/ioctl.c:583 [inline]\n __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583\n do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]\n do_syscall_64+0xa8/0x330 arch/x86/entry/syscall_64.c:94\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7fdaf331ba79\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007fdaf1d77038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\nRAX: ffffffffffffffda RBX: 00007fdaf3585fa0 RCX: 00007fdaf331ba79\nRDX: 00002000000001c0 RSI: 00000000c030ce02 RDI: 0000000000000003\nRBP: 00007fdaf33749df R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fdaf3586038 R14: 00007fdaf3585fa0 R15: 00007ffced2af768\n </TASK>\n\nAdd 'in_size' parameter to cxl_payload_from_user_allowed() and validate\nthe payload is large enough.","Type":"Description","Title":"cxl/mbox: validate payload size before accessing contents in cxl"}]}}}