CVE-2026-23443 | ACPI: processor: Fix previous acpi_processor_errata_piix4() fix

In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix previous acpi_processor_errata_piix4() fix After commi f132e089fe89 ("ACPI: processor: Fix NULL-pointer dereference in acpi_processor_errata_piix4()"), device pointers may be dereferenced after dropping references to the device objects pointed to by them, which may cause a use-after-free to occur. Moreover, debug messages about enabling the errata may be printed if the errata flags corresponding to them are unset. Address all of these issues by moving message printing to the points in the code where the errata flags are set.

Published: 2026-04-03 Last update: 2026-06-17 Assigner: 416baaa9-dc9f-4396-8d5f-8c081fb06d67 Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

NVD Status：Analyzed，CVE State: published

View at NVD, CVE.org, EUVD

Threat Intelligence & Risk Assessment for CVE-2026-23443

EPSS CVSS CWE GHSA Affected OS Tracker

Conclusion & alert: CVE-2026-23443 is rated Low Risk (22.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.12%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-23443

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.02%	0.12%	+0.10%
2	2026-04-04	—	0.02%	—

Full EPSS history (2 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-23443

CVSS metrics for this CVE.

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
5.5	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	3.6	[email protected]

Weakness enumeration for CVE-2026-23443

CWE-476 MITRE ↗

GitHub Security Advisory for CVE-2026-23443

GHSA-gh6m-4cqq-86hr · Severity: medium — In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Fix...

OS Trackers for CVE-2026-23443

vendor	priority	summary	link
`debian`	unimportant	CVE-2026-23443 unimportant priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2026-23443
`redhat`	—	—	https://access.redhat.com/security/cve/CVE-2026-23443
`suse`	medium	CVE-2026-23443 severity moderate: SUSE including 25 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 209 product×package rows across 38 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, … (38 product lines)): Known Not Affected 209.	https://www.suse.com/security/cve/CVE-2026-23443/
`ubuntu`	medium	CVE-2026-23443 medium priority: Ubuntu including 157 source packages (linux, linux-allwinner-5.19, …), 1256 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): DNE 871, ignored 169, not-affected 133, released 83.	https://ubuntu.com/security/CVE-2026-23443

Affected software / configurations for CVE-2026-23443

Vendor	Product	Version	Raw CPE
linux	linux_kernel	>= 6.1.165, < 6.1.167	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.6.128, < 6.6.130	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.12.75, < 6.12.78	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.18.16, < 6.18.20	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	>= 6.19.6, < 6.19.10	cpe:2.3:o:linux:linux_kernel::::::::
linux	linux_kernel	5.15.202	cpe:2.3:o:linux:linux_kernel:5.15.202:::::::*

References for CVE-2026-23443

URL	Tags
https://git.kernel.org/stable/c/2e369ba9eb7b8a06e9cc35a3e7fe73e59272f8c2	Patch
https://git.kernel.org/stable/c/68408e8f9e366ad9850a66ac65cb569f13bf6cd4	Patch
https://git.kernel.org/stable/c/8583f62259e1b315d5239371adfb36939cdab741	Patch
https://git.kernel.org/stable/c/98473309a36acc271009b85e0bb53a4c0dddf5c2	Patch
https://git.kernel.org/stable/c/bf504b229cb8d534eccbaeaa23eba34c05131e25	Patch
https://git.kernel.org/stable/c/e0c470049344e9346fff79d7e2362212c216665e	Patch
https://git.kernel.org/stable/c/edf4c2aaee08e8fd503fbae705c801e92a0b55d7	Patch

cvelogic Threat Intelligence