What is CVE-2026-23183?

CVE-2026-23183 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.14 onward and patched in 6.18.10 and 6.19. CVE-2026-23183 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-23183?

CVE-2026-23183 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-23183?

Yes, CVE-2026-23183 has been patched. Fixed versions include 6.18.10 and 6.19. If you are running Linux kernel 6.14 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-23183 actively exploited?

CVE-2026-23183 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-23183

In the Linux kernel, the following vulnerability has been resolved: cgroup/dmem: fix NULL pointer dereference when setting max An issue was triggered: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 658 Comm: bash Tainted: 6.19.0-rc6-next-2026012 Tainted: [O]=OOT_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:strcmp+0x10/0x30 RSP: 0018:ffffc900017f7dc0 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff888107cd4358 RDX: 0000000019f73907 RSI: ffffffff82cc381a RDI: 0000000000000000 RBP: ffff8881016bef0d R08: 000000006c0e7145 R09: 0000000056c0e714 R10: 0000000000000001 R11: ffff888107cd4358 R12: 0007ffffffffffff R13: ffff888101399200 R14: ffff888100fcb360 R15: 0007ffffffffffff CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000105c79000 CR4: 00000000000006f0 Call Trace: <TASK> dmemcg_limit_write.constprop.0+0x16d/0x390 ? __pfx_set_resource_max+0x10/0x10 kernfs_fop_write_iter+0x14e/0x200 vfs_write+0x367/0x510 ksys_write+0x66/0xe0 do_syscall_64+0x6b/0x390 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f42697e1887 It was trriggered setting max without limitation, the command is like: "echo test/region0 > dmem.max". To fix this issue, add check whether options is valid after parsing the region_name.

Package Linux Kernel

Published 2026-02-14

Last modified 2026-04-15

Patch available

Yes

Affected versions

Linux kernel versions 6.14 and later are affected. Fixed in 6.18.10, 6.19 and their respective stable series.

Affected from

≥ 6.14

Fixed in

✓ 6.18.10 6.18.x ✓ 6.19

References

The following references provide additional information about CVE-2026-23183 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/43151f812886be1855d2cba059f9c93e4729460b
Patch
Kernel patch commit
https://git.kernel.org/stable/c/c13816e8fa23deec6a8d7465d9e637fd02683b5c
Patch

Frequently asked questions

What is CVE-2026-23183?

CVE-2026-23183 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.14 onward and has been patched in 6.18.10 and 6.19. CVE-2026-23183 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-23183?

Yes — CVE-2026-23183 has been patched. Fixed versions include 6.18.10 and 6.19. If you are running Linux kernel 6.14 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-23183 actively exploited?

No — CVE-2026-23183 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.