CVE-2026-23237

In a few places in the Classmate laptop driver, code using the accel object may run before that object's address is stored in the driver data of the input device using it.

For example, cmpcaccelsensitivitystorev4() is the "show" method of cmpcaccelsensitivityattrv4 which is added in cmpcacceladdv4(), before calling devsetdrvdata() for inputdev->dev. If the sysfs attribute is accessed prematurely, the devgetdrvdata(&inputdev->dev) call in in cmpcaccelsensitivitystore_v4() returns NULL which leads to a NULL pointer dereference going forward.

Moreover, sysfs attributes using the input device are added before initializing that device by cmpcaddacpinotifydevice() and if one of them is accessed before running that function, a NULL pointer dereference will occur.

For example, cmpcaccelsensitivityattrv4 is added before calling cmpcaddacpinotifydevice() and if it is read prematurely, the devgetdrvdata(&acpi->dev) call in cmpcaccelsensitivityshowv4() returns NULL which leads to a NULL pointer dereference going forward.

Fix this by adding NULL pointer checks in all of the relevant places.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23237.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

529aa8cb0a59367d08883f818e8c47028e819d0d

Fixed

993708fc18d0d0919db438361b4e8c1f980a8d1b

Fixed

af673209d43b46257540997aba042b90ef3258c0

Fixed

eb214804f03c829decf10998e9b7dd26f4c8ab9e

Fixed

9cf4b9b8ad09d6e05307abc4e951cabdff4be652

Fixed

da6e06a5fdbabea3870d18c227734b5dea5b3be6

Fixed

97528b1622b8f129574d29a571c32a3c85eafa3c

Fixed

fe747d7112283f47169e9c16e751179a9b38611e

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23237.json"