NULL Pointer Dereference Affecting perf package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-CENTOS7-PERF-15533050
- published14 Mar 2026
- disclosed4 Mar 2026
Introduced: 4 Mar 2026
NewCVE-2026-23237 (opens in a new tab)How to fix?
There is no fixed version for Centos:7 perf.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf package and not the perf package as distributed by Centos.
See How to fix? for Centos:7 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
platform/x86: classmate-laptop: Add missing NULL pointer checks
In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it.
For example, cmpc_accel_sensitivity_store_v4() is the "show" method of cmpc_accel_sensitivity_attr_v4 which is added in cmpc_accel_add_v4(), before calling dev_set_drvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the dev_get_drvdata(&inputdev->dev) call in in cmpc_accel_sensitivity_store_v4() returns NULL which leads to a NULL pointer dereference going forward.
Moreover, sysfs attributes using the input device are added before initializing that device by cmpc_add_acpi_notify_device() and if one of them is accessed before running that function, a NULL pointer dereference will occur.
For example, cmpc_accel_sensitivity_attr_v4 is added before calling cmpc_add_acpi_notify_device() and if it is read prematurely, the dev_get_drvdata(&acpi->dev) call in cmpc_accel_sensitivity_show_v4() returns NULL which leads to a NULL pointer dereference going forward.
Fix this by adding NULL pointer checks in all of the relevant places.
References
- https://access.redhat.com/security/cve/CVE-2026-23237
- https://git.kernel.org/stable/c/97528b1622b8f129574d29a571c32a3c85eafa3c
- https://git.kernel.org/stable/c/993708fc18d0d0919db438361b4e8c1f980a8d1b
- https://git.kernel.org/stable/c/9cf4b9b8ad09d6e05307abc4e951cabdff4be652
- https://git.kernel.org/stable/c/af673209d43b46257540997aba042b90ef3258c0
- https://git.kernel.org/stable/c/da6e06a5fdbabea3870d18c227734b5dea5b3be6
- https://git.kernel.org/stable/c/eb214804f03c829decf10998e9b7dd26f4c8ab9e
- https://git.kernel.org/stable/c/fe747d7112283f47169e9c16e751179a9b38611e