CVE-2026-23323 in Linux
Summary
by MITRE • 03/25/2026
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (macsmc) Fix regressions in Apple Silicon SMC hwmon driver
The recently added macsmc-hwmon driver contained several critical bugs in its sensor population logic and float conversion routines.
Specifically: - The voltage sensor population loop used the wrong prefix ("volt-" instead of "voltage-") and incorrectly assigned sensors to the temperature sensor array (hwmon->temp.sensors) instead of the voltage sensor array (hwmon->volt.sensors). This would lead to out-of-bounds memory access or data corruption when both temperature and voltage sensors were present. - The float conversion in macsmc_hwmon_write_f32() had flawed exponent logic for values >= 2^24 and lacked masking for the mantissa, which could lead to incorrect values being written to the SMC.
Fix these issues to ensure correct sensor registration and reliable manual fan control.
Confirm that the reported overflow in FIELD_PREP is fixed by declaring macsmc_hwmon_write_f32() as __always_inline for a compile test.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability CVE-2026-23323 addresses critical flaws in the Linux kernel's macsmc-hwmon driver specifically targeting Apple Silicon systems. This hardware monitoring driver interfaces with the System Management Controller to provide sensor data for temperature and voltage monitoring. The issue stems from improper sensor population logic and flawed float conversion routines that create significant operational risks for system stability and data integrity. The vulnerability affects systems running Linux kernels with the macsmc-hwmon driver implementation, particularly those utilizing Apple Silicon processors where hardware monitoring capabilities are essential for system health management.
The primary technical flaw involves incorrect sensor registration logic within the driver's sensor population loop. The implementation used an incorrect prefix "volt-" instead of the proper "voltage-" for voltage sensor identification, creating a fundamental misclassification of sensor types. Additionally, the driver incorrectly assigned voltage sensors to the temperature sensor array structure (hwmon->temp.sensors) rather than the appropriate voltage sensor array (hwmon->volt.sensors). This fundamental data structure misassignment leads to out-of-bounds memory access conditions that can result in system crashes, memory corruption, or unpredictable behavior when both temperature and voltage monitoring are active simultaneously. The improper sensor assignment creates a direct path for memory safety violations that aligns with CWE-121, which addresses stack buffer overflow conditions, and CWE-787, concerning out-of-bounds write operations.
The secondary vulnerability manifests in the float conversion routine macsmc_hwmon_write_f32() where exponent handling fails for values greater than or equal to 2^24. The implementation lacks proper mantissa masking, causing incorrect floating-point value representations when writing data to the System Management Controller. This flaw directly impacts the accuracy of sensor data reporting and manual fan control operations, potentially leading to incorrect thermal management decisions. The improper floating-point handling creates a pathway for CWE-191, integer underflow conditions, and CWE-194, unexpected integer truncation, while also contributing to CWE-248, uncaught exception conditions that can destabilize system operations.
The operational impact of this vulnerability extends beyond simple data corruption to potentially compromise system stability and thermal management capabilities on Apple Silicon platforms. When both temperature and voltage sensors are present, the memory corruption issues can cause kernel panics or system crashes, disrupting normal operation of the affected hardware monitoring infrastructure. The incorrect fan control functionality can lead to overheating conditions or unnecessary power consumption, as the system cannot properly regulate cooling based on accurate sensor readings. This vulnerability particularly affects server and workstation environments where precise thermal management is critical for system reliability and longevity.
The fix implemented addresses these issues through corrected sensor registration logic and improved float conversion handling. The driver now properly uses the correct sensor prefixes and assigns sensors to their appropriate array structures, eliminating the out-of-bounds memory access conditions. The float conversion routine has been enhanced to properly handle exponent values above 2^24 and includes appropriate mantissa masking to ensure accurate floating-point value representation. The compilation fix involving the __always_inline declaration for macsmc_hwmon_write_f32() serves as an additional safeguard to prevent the FIELD_PREP overflow condition, ensuring that the function is optimized at compile time to avoid potential runtime issues. This remediation approach follows ATT&CK tactic T1059 for privilege escalation through kernel exploitation and addresses defensive measures under T1566 for credential access through system vulnerabilities, ensuring comprehensive protection against potential exploitation vectors that could leverage these memory corruption flaws for unauthorized system access or privilege escalation.