FKIE_CVE-2026-23266

Vulnerability from fkie_nvd - Published: 2026-03-18 18:16 - Updated: 2026-05-29 18:43
Severity
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352dfPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7ePatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0fPatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
linux linux_kernel 2.6.12
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "CABFF5E9-C52A-4642-9228-1D6E483DA497",
              "versionEndExcluding": "5.10.251",
              "versionStartIncluding": "2.6.12.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "600A89ED-86F2-48D8-BB7C-5EE7A8832FC5",
              "versionEndExcluding": "5.15.201",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6892F74B-3F14-4500-9652-24A2ECB04144",
              "versionEndExcluding": "6.1.164",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4A9F36A3-A685-48A0-84B4-6217052BD058",
              "versionEndExcluding": "6.6.127",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C2968F55-D03F-42BE-A694-F0A37BC8CBE3",
              "versionEndExcluding": "6.12.74",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6BDEF9FB-423E-49F6-991B-9277CC3AF400",
              "versionEndExcluding": "6.18.13",
              "versionStartIncluding": "6.13",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7853A337-FB2A-4E19-AB47-4E38343532AA",
              "versionEndExcluding": "6.19.3",
              "versionStartIncluding": "6.19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:*",
              "matchCriteriaId": "6F62EECE-8FB1-4D57-85D8-CB9E23CF313C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "4F76C298-81DC-43E4-8FC9-DC005A2116EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "0AB349B2-3F78-4197-882B-90ADB3BF645A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "6AC88830-A9BC-4607-B572-A4B502FC9FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "476CB3A5-D022-4F13-AAEF-CB6A5785516A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: rivafb: fix divide error in nv3_arb()\n\nA userspace program can trigger the RIVA NV3 arbitration code by calling\nthe FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver\nrecomputes FIFO arbitration parameters in nv3_arb(), using state-\u003emclk_khz\n(derived from the PRAMDAC MCLK PLL) as a divisor without validating it\nfirst.\n\nIn a normal setup, state-\u003emclk_khz is provided by the real hardware and is\nnon-zero. However, an attacker can construct a malicious or misconfigured\ndevice (e.g. a crafted/emulated PCI device) that exposes a bogus PLL\nconfiguration, causing state-\u003emclk_khz to become zero.  Once\nnv3_get_param() calls nv3_arb(), the division by state-\u003emclk_khz in the gns\ncalculation causes a divide error and crashes the kernel.\n\nFix this by checking whether state-\u003emclk_khz is zero and bailing out before\ndoing the division.\n\nThe following log reveals it:\n\nrivafb: setting virtual Y resolution to 2184\ndivide error: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]\nRIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546\nCall Trace:\n  nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603\n  nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]\n  CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246\n  riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779\n  rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196\n  fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033\n  do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109\n  fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188\n  __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta:\n\nfbdev: rivafb: corrige error de divisi\u00f3n en nv3_arb()\n\nUn programa de espacio de usuario puede activar el c\u00f3digo de arbitraje RIVA NV3 llamando al ioctl FBIOPUT_VSCREENINFO en /dev/fb*. Al hacerlo, el controlador recalcula los par\u00e1metros de arbitraje FIFO en nv3_arb(), usando state-\u0026gt;mclk_khz (derivado del PRAMDAC MCLK PLL) como divisor sin validarlo primero.\n\nEn una configuraci\u00f3n normal, state-\u0026gt;mclk_khz es proporcionado por el hardware real y no es cero. Sin embargo, un atacante puede construir un dispositivo malicioso o mal configurado (p. ej., un dispositivo PCI manipulado/emulado) que expone una configuraci\u00f3n PLL falsa, haciendo que state-\u0026gt;mclk_khz se vuelva cero. Una vez que nv3_get_param() llama a nv3_arb(), la divisi\u00f3n por state-\u0026gt;mclk_khz en el c\u00e1lculo de gns causa un error de divisi\u00f3n y bloquea el kernel.\n\nSolucione esto verificando si state-\u0026gt;mclk_khz es cero y saliendo antes de realizar la divisi\u00f3n.\n\nEl siguiente registro lo revela:\n\nrivafb: estableciendo la resoluci\u00f3n Y virtual a 2184\nerror de divisi\u00f3n: 0000 [#1] PREEMPT SMP KASAN PTI\nCPU: 0 PID: 2187 Comm: syz-executor.0 No contaminado 5.18.0-rc1+ #1\nNombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014\nRIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline]\nRIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546\nTraza de llamada:\n  nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603\n  nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline]\n  CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246\n  riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779\n  rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196\n  fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033\n  do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109\n  fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188\n  __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856"
    }
  ],
  "id": "CVE-2026-23266",
  "lastModified": "2026-05-29T18:43:22.847",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-18T18:16:25.370",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-369"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.