๐Ÿ” CVE Alert

CVE-2026-23266

UNKNOWN 0.0

fbdev: rivafb: fix divide error in nv3_arb()

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In the Linux kernel, the following vulnerability has been resolved: fbdev: rivafb: fix divide error in nv3_arb() A userspace program can trigger the RIVA NV3 arbitration code by calling the FBIOPUT_VSCREENINFO ioctl on /dev/fb*. When doing so, the driver recomputes FIFO arbitration parameters in nv3_arb(), using state->mclk_khz (derived from the PRAMDAC MCLK PLL) as a divisor without validating it first. In a normal setup, state->mclk_khz is provided by the real hardware and is non-zero. However, an attacker can construct a malicious or misconfigured device (e.g. a crafted/emulated PCI device) that exposes a bogus PLL configuration, causing state->mclk_khz to become zero. Once nv3_get_param() calls nv3_arb(), the division by state->mclk_khz in the gns calculation causes a divide error and crashes the kernel. Fix this by checking whether state->mclk_khz is zero and bailing out before doing the division. The following log reveals it: rivafb: setting virtual Y resolution to 2184 divide error: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 0 PID: 2187 Comm: syz-executor.0 Not tainted 5.18.0-rc1+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:nv3_arb drivers/video/fbdev/riva/riva_hw.c:439 [inline] RIP: 0010:nv3_get_param+0x3ab/0x13b0 drivers/video/fbdev/riva/riva_hw.c:546 Call Trace: nv3CalcArbitration.constprop.0+0x255/0x460 drivers/video/fbdev/riva/riva_hw.c:603 nv3UpdateArbitrationSettings drivers/video/fbdev/riva/riva_hw.c:637 [inline] CalcStateExt+0x447/0x1b90 drivers/video/fbdev/riva/riva_hw.c:1246 riva_load_video_mode+0x8a9/0xea0 drivers/video/fbdev/riva/fbdev.c:779 rivafb_set_par+0xc0/0x5f0 drivers/video/fbdev/riva/fbdev.c:1196 fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1033 do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1109 fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1188 __x64_sys_ioctl+0x122/0x190 fs/ioctl.c:856

Vendor linux
Product linux
Ecosystems
Industries
Technology
Published Mar 18, 2026
Last Updated Apr 13, 2026
Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Linux / Linux
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < ec5a58f4fd581875593ea92a65485e1906a53c0f 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 52916878db2b8e3769743a94484729f0844352df 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 526460a96c5443e2fc0fd231edd1f9c49d2de26b 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 78daf5984d96edec3b920c72a93bd6821b8710b7 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 9efa0dc46270a8723c158c64afbcf1dead72b28c 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 73f0391e92d404da68f7484e57c106c5e673dc7e 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 < 0209e21e3c372fa2da04c39214bec0b64e4eb5f4
Linux / Linux
2.6.12

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
git.kernel.org: https://git.kernel.org/stable/c/ec5a58f4fd581875593ea92a65485e1906a53c0f git.kernel.org: https://git.kernel.org/stable/c/52916878db2b8e3769743a94484729f0844352df git.kernel.org: https://git.kernel.org/stable/c/526460a96c5443e2fc0fd231edd1f9c49d2de26b git.kernel.org: https://git.kernel.org/stable/c/78daf5984d96edec3b920c72a93bd6821b8710b7 git.kernel.org: https://git.kernel.org/stable/c/9efa0dc46270a8723c158c64afbcf1dead72b28c git.kernel.org: https://git.kernel.org/stable/c/3e4cbd1d46c246dfa684c8e9d8c20ae0b960c50a git.kernel.org: https://git.kernel.org/stable/c/73f0391e92d404da68f7484e57c106c5e673dc7e git.kernel.org: https://git.kernel.org/stable/c/0209e21e3c372fa2da04c39214bec0b64e4eb5f4