CVE-2026-23131 in Linuxinfo

Summary

by MITRE • 02/14/2026

In the Linux kernel, the following vulnerability has been resolved:

platform/x86: hp-bioscfg: Fix kobject warnings for empty attribute names

The hp-bioscfg driver attempts to register kobjects with empty names when the HP BIOS returns attributes with empty name strings. This causes multiple kernel warnings:

kobject: (00000000135fb5e6): attempted to be registered with empty name! WARNING: CPU: 14 PID: 3336 at lib/kobject.c:219 kobject_add_internal+0x2eb/0x310

Add validation in hp_init_bios_buffer_attribute() to check if the attribute name is empty after parsing it from the WMI buffer. If empty, log a debug message and skip registration of that attribute, allowing the module to continue processing other valid attributes.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/17/2026

The vulnerability described in CVE-2026-23131 represents a kernel-level issue within the Linux operating system's platform x86 subsystem, specifically affecting the hp-bioscfg driver component. This driver is responsible for handling configuration attributes exposed through the Hardware Platform (HP) BIOS interface, which allows system administrators and applications to query and modify certain hardware configuration parameters. The flaw manifests when the driver encounters malformed data from the BIOS, specifically attributes that contain empty name strings, which violates fundamental kernel object registration principles and creates operational instability.

The technical implementation of this vulnerability stems from inadequate input validation within the hp_init_bios_buffer_attribute() function within the hp-bioscfg driver code. When the driver processes attribute data retrieved from the Windows Management Instrumentation (WMI) buffer, it fails to validate whether the parsed attribute name string is empty or null before attempting to register the corresponding kernel object. This violates the kernel's fundamental requirement that all kobject instances must possess valid, non-empty names for proper registration and management within the kernel's object hierarchy. The issue directly corresponds to CWE-20, "Improper Input Validation," and specifically relates to improper validation of kernel object names, which can lead to system instability and potential denial of service conditions.

The operational impact of this vulnerability extends beyond simple kernel warnings, as it can cause the hp-bioscfg module to generate multiple kernel log messages that indicate failed kobject registration attempts. These warnings, while not immediately crashing the system, create a degraded operational state where valid attributes may not be properly exposed to userspace applications, potentially preventing system configuration management tools from accessing critical hardware settings. The kernel's attempt to register objects with empty names triggers the kobject_add_internal function, which is part of the core kernel infrastructure responsible for managing the object model, thereby creating a cascade of warnings that can clutter system logs and potentially mask other genuine issues. This vulnerability can be leveraged by attackers to create persistent denial of service conditions by repeatedly triggering the faulty code path, and may also provide information disclosure opportunities through the kernel log messages.

The mitigation strategy implemented in the fix addresses the root cause by introducing explicit validation checks within the hp_init_bios_buffer_attribute() function. The solution involves parsing the attribute name from the WMI buffer and performing a comprehensive validation to ensure the name string is neither empty nor null before proceeding with kobject registration. When an empty name is detected, the driver now logs a debug message indicating the skipped attribute rather than attempting registration, allowing the module to continue processing remaining valid attributes. This approach aligns with the principle of fail-safe design and follows the ATT&CK technique T1484.001, "Privilege Escalation through Kernel Exploitation," by preventing potential escalation paths through kernel object manipulation. The fix also adheres to the Linux kernel security best practices outlined in the kernel documentation regarding proper input validation and error handling, ensuring that the driver maintains robust operation even when encountering malformed data from hardware interfaces. This remediation ensures that the hp-bioscfg module can gracefully handle unexpected BIOS behavior while maintaining system stability and preventing the propagation of kernel warnings that could impact system monitoring and diagnostic capabilities.

Responsible

Linux

Reservation

01/13/2026

Disclosure

02/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00114

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!