HIGH
accel/rocket Probe Unwinding OOB
CVE-2026-23305
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
KernelScan AI5.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: accel/rocket: fix unwinding in error path in rocket_probe When rocket_core_init() fails (as could be the case with EPROBE_DEFER), we need to properly unwind by decrementing the counter we just incremented and if this is the first core we failed to probe, remove the rocket DRM device with rocket_device_fini() as well. This matches the logic in rocket_remove(). Failing to properly unwind results in out-of-bounds accesses.
02KernelScan AI Analysis
Risk summary
Systems with the rocket accelerator driver are at risk of kernel crashes and information disclosure during device initialization failures. The vulnerability causes out-of-bounds memory access when the driver fails to properly unwind initialization state, potentially leading to kernel panic or limited leakage of adjacent kernel memory.
Vulnerability analysis
The root cause is improper error handling in rocket_probe() where the num_cores counter is incremented before rocket_core_init() but not decremented on failure, creating an inconsistent state. This leads to out-of-bounds array access when the counter is subsequently used to index the cores array in driver operations. The fix adds proper unwinding that decrements the counter and cleans up the device structure if this was the first core, matching the logic in rocket_remove(). Exploitation requires local access with root privileges to trigger the vulnerable probe error path (e.g., via driver unbind/rebind or module reload under controlled conditions), after which the corrupted state can lead to out-of-bounds reads and writes.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.17 | 7fc4b49474c8 |
| 6.19 | 6.19.7 | eeaf28c8f4de |
| mainline | 7.0 | 34f4495a7f72 |