Linux Kernel, NULL Pointer Dereference, CVE-2026-23237 (Medium)

Listen to this Post

The vulnerability resides in the `classmate-laptop` driver for x86 platforms. Due to improper initialization ordering, sysfs attributes related to the accelerometer (v4 model) are registered before the driver’s private data pointers are stored using `dev_set_drvdata` . If a user or process reads or writes to these sysfs files (e.g., cmpc_accel_sensitivity_store_v4) during this narrow window, the `dev_get_drvdata` function returns NULL. The code then dereferences this NULL pointer without validation, leading to a kernel crash (oops) and a denial of service . This affects both attributes that rely on the input device’s driver data and those relying on the ACPI device’s driver data before `cmpc_add_acpi_notify_device` completes .
Platform: Linux Kernel
Version: < 6.18.13 / 6.19-rc1
Vulnerability : NULL pointer dereference
Severity: Medium (CVSS:5.5)
date: 2026-03-04

Prediction: Patched in mainline (6.19)

What Undercode Say:

Analytics

The issue is a classic local denial-of-service vulnerability affecting a niche hardware driver. Analysis shows a low attack complexity, requiring local access and precise timing. The fix is simple but crucial for stability on affected Classmate hardware . The mainline kernel was patched via commit `fe747d711228` on January 26, 2026, and backports are being integrated into stable and long-term support (LTS) kernel trees . The primary impact is system availability.

Exploit:

A proof-of-concept for this bug relies on a race condition. An exploit would need to repeatedly read the vulnerable sysfs entry immediately after the module is loaded, hoping to land in the window before `dev_set_drvdata` is called.

Example of repeatedly trying to trigger the bug by reading the sysfs attribute
while true; do
Replace with the actual path to the sysfs file on a vulnerable system
cat /sys/devices/platform/classmate-laptop/.../sensitivity 2>/dev/null
done &
Meanwhile, trigger the module load
sudo modprobe classmate-laptop

Protection from this CVE

The primary protection is to update the Linux kernel to a patched version (e.g., 6.18.13, 6.19, or a distribution backport) . As a workaround, the vulnerable module can be blacklisted if the accelerometer functionality is not required .

Workaround: Blacklist the module to prevent it from loading
sudo bash -c 'echo "blacklist classmate-laptop" >> /etc/modprobe.d/blacklist.conf'
sudo update-initramfs -u
Verify the module is not loaded
lsmod | grep classmate

The kernel patch itself adds defensive NULL pointer checks, preventing the dereference .

// Example of the fix applied to cmpc_accel_sensitivity_show_v4
static ssize_t cmpc_accel_sensitivity_show_v4(struct device dev,
struct device_attribute attr, char buf)
{
struct acpi_device acpi;
struct input_dev inputdev;
struct cmpc_accel accel;
acpi = to_acpi_device(dev);
inputdev = dev_get_drvdata(&acpi->dev);
if (!inputdev)
return -ENXIO;
accel = dev_get_drvdata(&inputdev->dev);
if (!accel)
return -ENXIO;
return sprintf(buf, "%d\n", accel->sensitivity);
}

Impact

Successful exploitation leads to a kernel NULL pointer dereference, causing a system crash (Oops) and resulting in a local denial of service . There is no evidence to suggest this vulnerability can lead to privilege escalation or remote code execution . The impact is confined to systems that actually use the specific `classmate-laptop` hardware and have the driver loaded .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top