HP BIOSCFG Driver, Buffer Overflow, CVE-2026-23062 (Moderate)

Listen to this Post

CVE-2026-23062 is a vulnerability in the Linux kernel’s `hp-bioscfg` driver, which provides a sysfs interface for managing HP BIOS configuration settings from userspace. The flaw resides in the `GET_INSTANCE_ID` macro, a code piece designed to locate a specific BIOS attribute instance. The issue stems from two distinct programming errors. First, an off-by-one error in a loop condition used ‘<=’ instead of ‘<‘ when iterating over an array of attributes. Since array indices are zero-based, this condition causes the loop to attempt an access one element beyond the allocated memory boundary (at index instances_count), leading to an out-of-bounds read. Second, and more critically, the macro dereferences `attr_name_kobj->name` without first verifying that the `attr_name_kobj` pointer is not NULL. This NULL pointer dereference occurs in multiple attribute show functions, such as min_length_show(), when they are invoked by a read operation on the sysfs interface. When a userspace tool like `fwupd` attempts to read these BIOS attributes, the vulnerable code path is triggered. The kernel attempts to access invalid memory, resulting in a general protection fault and an immediate kernel panic (system crash). The fix involves adding a proper NULL check for the pointer before its use and correcting the loop boundary to the standard and safe ‘<‘ condition.
Platform: Linux Kernel
Version: 6.6 to 6.19-rc6
Vulnerability: Buffer Overflow, NULL Dereference
Severity: Moderate (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H)
date: February 4, 2026

Prediction: Patched February 2026

What Undercode Say:

Analytics:

The vulnerability is triggered locally via sysfs. The crash signature involves KASAN null-ptr-deref reports and RIP pointing to `min_length_show` in hp_bioscfg. The attack vector is local, requiring low privileges, and primarily impacts system availability.

Exploit:

Trigger the panic by reading the sysfs attribute (if vulnerable)
This action causes the kernel to dereference a NULL pointer.
cat /sys/class/firmware-attributes//attributes//min_length

Protection from this CVE:

1. Update the Linux kernel to a fixed version:
e.g., 6.6.122, 6.12.68, 6.18.8, or 6.19-rc7 and later.
2. If an immediate update is not possible, unload the vulnerable module:
sudo modprobe -r hp_bioscfg
3. Blacklist the module to prevent it from loading on boot:
echo "blacklist hp_bioscfg" | sudo tee /etc/modprobe.d/hp-bioscfg-blacklist.conf
4. Verify the module is no longer loaded:
lsmod | grep hp_bioscfg

Impact:

A successful exploit causes a kernel panic, leading to an immediate system crash and denial of service. While the primary impact is on availability, an out-of-bounds read could potentially lead to information disclosure (KASAN: null-ptr-deref in range). The vulnerability can be triggered accidentally by legitimate system tools like `fwupd` or intentionally by a local attacker.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top