Vulnerability Database / CVE-2026-23094 CVE-2026-23094: Linux Kernel uacce DOS Vulnerability CVE-2026-23094 is a denial of service flaw in the Linux kernel uacce subsystem that can cause system crashes through improper sysfs callback handling. This article covers technical details, affected versions, and mitigation. Published : February 6, 2026 CVE-2026-23094 Overview CVE-2026-23094 is a vulnerability in the Linux kernel's uacce (Unified/User-space-access intended Accelerator Framework) subsystem that affects the device isolation feature's sysfs interface. The vulnerability exists in the check condition for creating sysfs files related to device isolation error threshold configuration. The uacce subsystem supports a device isolation feature that creates sysfs files when drivers implement isolate_err_threshold_read and isolate_err_threshold_write callback functions. Users can read and configure isolation policies through these sysfs interfaces. However, the current implementation creates sysfs files when either callback function is present, without properly validating that both functions exist before allowing access. Critical Impact Accessing a non-existent callback function through the sysfs interface may cause system crashes, resulting in denial of service conditions on affected Linux systems. Affected Products Linux kernel with uacce subsystem enabled Systems utilizing Unified/User-space-access intended Accelerator Framework Linux distributions with accelerator device isolation features Discovery Timeline 2026-02-04 - CVE CVE-2026-23094 published to NVD 2026-02-05 - Last updated in NVD database Technical Details for CVE-2026-23094 Vulnerability Analysis This vulnerability represents a Null Pointer Dereference issue in the Linux kernel's uacce subsystem. The core problem lies in how the sysfs interface handles callback function validation for device isolation features. When a driver implements the device isolation feature, it may provide one or both of the isolate_err_threshold_read and isolate_err_threshold_write callback functions. The original implementation would create sysfs files as long as either callback was present, but failed to properly intercept operations at the call site when attempting to invoke a non-existent callback. This means if a driver only implements the read callback but not the write callback (or vice versa), a user attempting to perform the unsupported operation through sysfs would trigger an attempt to call a NULL function pointer, resulting in a kernel crash. Root Cause The root cause is an improper check condition in the uacce sysfs creation logic. The code failed to: Properly validate that neither read nor write callbacks exist before allowing sysfs file creation Intercept unsupported operations at the call site when only one callback is implemented The fix addresses this by implementing a two-pronged approach: intercepting sysfs creation if neither read nor write callback exists, and intercepting unsupported operations at the call site when the sysfs is created with partial callback support. Attack Vector The vulnerability can be triggered through the sysfs interface. An attacker with local access to the system could: Identify systems with uacce drivers that implement only partial callback functions (either read or write, but not both) Access the sysfs interface for device isolation configuration Attempt to perform an operation (read or write) that corresponds to the non-existent callback Trigger a kernel panic due to the NULL pointer dereference This requires local access to the system and the ability to interact with the sysfs interface, typically requiring elevated privileges or specific group membership. The vulnerability mechanism involves improper callback function validation in the uacce sysfs creation logic. When sysfs files are created with partial callback support and an unsupported operation is attempted, the kernel attempts to invoke a NULL function pointer. For detailed implementation specifics, refer to the kernel git commits linked in the external references. Detection Methods for CVE-2026-23094 Indicators of Compromise Unexpected kernel panics or oops messages related to uacce or accelerator device drivers System crashes occurring when users interact with /sys/class/uacce/ directory entries Kernel log entries showing NULL pointer dereference in uacce-related code paths Anomalous read/write attempts to isolation threshold sysfs files Detection Strategies Monitor kernel logs for NULL pointer dereference errors in uacce subsystem functions Implement system monitoring for unexpected crashes in systems with accelerator devices Use kernel debugging tools to track sysfs access patterns to uacce device entries Deploy crash dump analysis to identify exploitation attempts Monitoring Recommendations Enable kernel crash dump collection for forensic analysis Monitor sysfs access to /sys/class/uacce/*/isolate_err_threshold files Implement auditd rules to log access to uacce