HIGH
pmdomain imx8m Domain Array OOB
CVE-2026-23187
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI7.1HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8m-blk-ctrl: fix out-of-range access of bc->domains Fix out-of-range access of bc->domains in imx8m_blk_ctrl_remove().
02KernelScan AI Analysis
Risk summary
A programming error in the i.MX8M power domain driver causes an infinite loop during device cleanup, leading to out-of-bounds memory reads that could crash the system or potentially leak kernel memory contents. This affects systems using i.MX8M processors when the power domain driver is removed or reloaded.
Vulnerability analysis
Root Cause: The for loop condition in imx8m_blk_ctrl_remove() uses assignment (=) instead of comparison (<), causing an infinite loop that accesses bc->domains array out of bounds. The condition 'bc->onecell_data.num_domains' is always true (non-zero), so the loop never terminates and continues accessing array elements beyond the allocated range.
Attack Surface: This vulnerability is triggered during device removal/cleanup in the i.MX8M power domain controller driver. It requires local access with sufficient privileges to trigger device removal, typically through module unloading or device unbinding operations.
Fix Mechanism: The patch corrects the loop condition from 'for (i = 0; bc->onecell_data.num_domains; i++)' to 'for (i = 0; i < bc->onecell_data.num_domains; i++)', properly terminating the loop when i reaches the number of domains and preventing out-of-bounds access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.163 | 7842b5dfcac8 |
| 6.12 | 6.12.70 | 4390dcdabb5f |
| 6.18 | 6.18.10 | eb54ce033b34 |
| 6.6 | 6.6.124 | 071159ff5c0b |
| mainline | 6.19 | 6bd8b4a92a90 |