#VU124488 Use of Uninitialized Variable in Linux kernel - CVE-2026-23358
Published: March 25, 2026
Vulnerability identifier: #VU124488
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-23358
CWE-ID: CWE-457
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Linux kernel
Linux kernel
Software vendor:
Linux Foundation
Linux Foundation
Description
The vulnerability allows a local user to execute arbitrary code and escalate privileges.
The vulnerability exists due to improper initialization in the DRM/AMDGPU subsystem when handling error conditions during slot reset. A local user can trigger a use of uninitialized memory to execute arbitrary code and escalate privileges.
The issue arises from an uninitialized hive pointer and list, which may be accessed if the device fails to recover after a slot reset, leading to memory corruption.
Remediation
Install security update from vendor's repository.