Main Vulnerability Database Vulnerabilities #VU124497

#VU124497 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Linux kernel - CVE-2026-23354

Published: March 25, 2026

Vulnerability identifier: #VU124497

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-23354

CWE-ID: CWE-470

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Linux kernel

Software vendor:
Linux Foundation

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to improper bounds checking in the x86/fred component when handling speculative execution of interrupts. A local user can trigger a use of an out-of-bounds array index during interrupt handling to execute arbitrary code.

The issue arises because the array index is spilled to the stack before use, making it vulnerable to speculative execution attacks.

Remediation

Install security update from vendor's repository.

#VU124497 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Linux kernel - CVE-2026-23354

Description

Remediation

External links

Please verify you're human