Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-23266— fbdev: rivafb: fix divide error in nv3_arb()

EPSS 0.03% · P10
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23266

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
fbdev: rivafb: fix divide error in nv3_arb()
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于未验证除数,可能导致除零错误和内核崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 ~ ec5a58f4fd581875593ea92a65485e1906a53c0f -
LinuxLinux 2.6.12 -

II. Public POCs for CVE-2026-23266

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23266

登录查看更多情报信息。

Same Patch Batch · Linux · 2026-03-18 · 35 CVEs total

CVE-2026-232468.8 HIGHwifi: mac80211: bounds-check link_id in ieee80211_ml_reconfiguration
CVE-2026-232537.8 HIGHmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen
CVE-2026-232687.8 HIGHapparmor: fix unprivileged local user can do privileged policy management
CVE-2026-232707.8 HIGHnet/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks
CVE-2026-232487.8 HIGHperf/core: Fix refcount bug and potential UAF in perf_mmap
CVE-2026-232437.8 HIGHRDMA/umad: Reject negative data_len in ib_umad_write
CVE-2026-232457.8 HIGHnet/sched: act_gate: snapshot parameters with RCU on replace
CVE-2026-232427.5 HIGHRDMA/siw: Fix potential NULL pointer dereference in header processing
CVE-2026-232697.1 HIGHapparmor: validate DFA start states are in bounds in unpack_pdb
CVE-2026-23244nvme: fix memory allocation in nvme_pr_read_keys()
CVE-2025-71267fs: ntfs3: fix infinite loop triggered by zero-sized ATTR_LIST
CVE-2026-23247tcp: secure_seq: add back ports to TS offset
CVE-2025-71266fs: ntfs3: check return value of indx_find to avoid infinite loop
CVE-2026-23249xfs: check for deleted cursors when revalidating two btrees
CVE-2026-23250xfs: check return value of xchk_scrub_create_subord
CVE-2026-23251xfs: only call xf{array,blob}_destroy if we have a valid pointer
CVE-2026-23252xfs: get rid of the xchk_xfile_*_descr calls
CVE-2025-71265fs: ntfs3: fix infinite loop in attr_load_runs_range on inconsistent metadata
CVE-2025-71268btrfs: fix reservation leak in some error paths when inserting inline extent
CVE-2025-71269btrfs: do not free data reservation in fallback from inline due to -ENOSPC

Showing top 20 of 35 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

Same product: Linux
Same vendor: Linux

V. Comments for CVE-2026-23266

No comments yet

Leave a comment