CVE-2026-23183
Description
In the Linux kernel, the following vulnerability has been resolved:
cgroup/dmem: fix NULL pointer dereference when setting max
An issue was triggered:
BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace:
dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887
It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max". To fix this issue, add check whether options is valid after parsing the region_name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel cgroup/dmem NULL pointer dereference leads to denial of service when writing a region name as dmem.max.
Root
Cause A NULL pointer dereference vulnerability exists in the Linux kernel's cgroup/dmem subsystem. When writing a value to dmem.max without a proper numeric limit, such as the command echo test/region0 > dmem.max, the kernel attempts to compare the parsed region name via strcmp, but the pointer passed to the function can be NULL. This occurs because the code does not validate whether the parsed region name is a valid string pointer before using it [1].
Exploitation
An attacker with local access and the ability to write to the dmem.max cgroup file can trigger this bug. No special privileges beyond basic cgroup write access are required, as the crash occurs during normal file I/O operations. The issue is triggered by providing a region name string that fails to parse into a valid memory region pointer, leaving the pointer at NULL [1].
Impact
Successful exploitation causes a kernel NULL pointer dereference, leading to a system crash (Oops) and denial of service. The crash trace showed a read access at address 0x0000000000000000, resulting in immediate system instability. This vulnerability can be used to crash the system from a non-root context if the attacker has appropriate cgroup file write permissions.
Mitigation
The fix has been applied in the Linux kernel stable tree commit c13816e8fa23deec6a8d7465d9e637fd02683b5c. Users should update their kernel to include this commit or a subsequent release containing the backport. No workaround is provided; manual validation of the input before writing to dmem.max would prevent the crash, but the proper fix is to update the kernel [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 6.19.0-rc6-next-2026012
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.