CVE-2026-23266

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.18.0-rc1+

Description The Linux kernel contains a flaw within the RIVA NV3 arbitration code. A userspace program can trigger this code by calling the FBIOPUT VSCREENINFO ioctl on /dev/fb*. The driver recalculates FIFO arbitration parameters in the nv3 arb() function, using state->mclk khz (derived from the PRAMDAC MCLK PLL) as a divisor without prior validation. An attacker can provide a malicious or misconfigured device that sets state->mclk khz to zero, leading to a divide error and kernel crash when nv3 get param() calls nv3 arb(). The vulnerable code is located in drivers/video/fbdev/riva/riva hw.c. The issue occurs during the calculation of the gns value within the nv3 arb() function.

Recommendations Update to a version newer than 5.18.0-rc1+.