CVE-2026-23039 — NULL Pointer Dereference in Linux

CWE-476 — NULL Pointer Dereference7 documents6 sources

Severity

5.5MEDIUM

No vector

EPSS

0.0%

top 98.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linux Linux Kernel Debian Linux

Timeline

PublishedJan 31

Description

In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences.

Affected Packages4 packages

▶Linuxlinux/linux_kernel6.18.0 — 6.18.7

▶Debianlinux/linux_kernel< 6.18.8-1

▶CVEListV5linux/linux73cfd166e045769a1b42d36897accaa6e06b8102 — a255ec07f91d4c73a361a28b7a3d82f5710245f1+2

▶debiandebian/linux< linux 6.18.8-1 (forky)

🔴Vulnerability Details

OSV

CVE-2026-23039: In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_ato↗2026-01-31

▶

GHSA

GHSA-8v58-m3wh-hhg4: In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_a↗2026-01-31

▶

OSV

drm/gud: fix NULL fb and crtc dereferences on USB disconnect↗2026-01-31

▶

📋Vendor Advisories

Red Hat

kernel: drm/gud: fix NULL fb and crtc dereferences on USB disconnect↗2026-01-31

▶

Debian

CVE-2026-23039: linux - In the Linux kernel, the following vulnerability has been resolved: drm/gud: fi...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23039 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶