In the Linux kernel, the following vulnerability has been resolved: md-cluster: fix NULL pointer dereference in process_metadata_update The function process_metadata_update() blindly dereferences the 'thread' pointer (acquired via rcu_dereference_protected) within the wait_event() macro. While the code comment states "daemon thread must exist", there is a valid race condition window during the MD array startup sequence (md_run): 1. bitmap_load() is called, which invokes md_cluster_ops->join(). 2. join() starts the "cluster_recv" thread (recv_daemon). 3. At this point, recv_daemon is active and processing messages. 4. However, mddev->thread (the main MD thread) is not initialized until later in md_run(). If a METADATA_UPDATED message is received from a remote node during this specific window, process_metadata_update() will be called while mddev->thread is still NULL, leading to a kernel panic. To fix this, we must validate the 'thread' pointer. If it is NULL, we release the held lock (no_new_dev_lockres) and return early, safely ignoring the update request as the array is not yet fully ready to process it.
Denial of service in Linux kernel KCM (kernel connection multiplexer) subsystem when processing messages with zero-fragment skbs in frag_list after partial sendmsg failures. A local authenticated attacker can trigger a kernel warning and potentially crash the system by sending a malformed message that fails during data copy, leaving an empty skb in the fragment list. The vulnerability requires local access and low-level socket manipulation, affecting systems running vulnerable Linux kernel versions prior to patching.
A denial of service vulnerability in the Linux kernel's AMD display driver (drm/amd/display) allows local authenticated users to crash the system by accessing link encoder functionality on DisplayPort over USB-C (DPIA) links without proper signal type validation. The vulnerability affects kernel versions before the patches released in stable branches 6.12.75, 6.18.16, 6.19.6, and 7.0. No public exploit code has been identified, and real-world exploitation probability is very low (EPSS 0.02%), suggesting this is primarily an edge-case denial of service affecting specific hardware configurations with DPIA displays.
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception
In the Linux kernel, the following vulnerability has been resolved: hfs: Replace BUG_ON with error handling for CNID count checks In a06ec283e125 next_id, folder_count, and file_count in the super block info were expanded to 64 bits, and BUG_ONs were added to detect overflow. This triggered an error reported by syzbot: if the MDB is corrupted, the BUG_ON is triggered. This patch replaces this mechanism with proper error handling and resolves the syzbot reported bug. Singed-off-by: Jori Koolstra <jkoolstra@xs4all.nl>
Local denial of service in Linux kernel ring-buffer tracing code allows authenticated local users to crash the system by triggering invalid memory access through malformed event length fields. The vulnerability exists in rb_read_data_buffer(), which validates possibly corrupted ring buffers at boot but fails to verify event lengths are within acceptable ranges before calculating buffer offsets. EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified.
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6asm: drop DSP responses for closed data streams 'Commit a354f030dbce ("ASoC: qcom: q6asm: handle the responses after closing")' attempted to ignore DSP responses arriving after a stream had been closed. However, those responses were still handled, causing lockups. Fix this by unconditionally dropping all DSP responses associated with closed data streams.
Denial of service in Linux kernel APEI/GHES ARM processor error handling allows local authenticated attackers to trigger kernel oops by crafting malformed ARM Processor Error records with incomplete or oversized section data, causing out-of-bounds memory dereference. CVSS 5.5 (local, low complexity, authenticated, availability impact only) with EPSS 0.02% indicates low real-world exploitation probability despite public patch availability.
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfs4_file refcount leak in nfsd_get_dir_deleg() Claude pointed out that there is a nfs4_file refcount leak in nfsd_get_dir_deleg(). Ensure that the reference to "fp" is released before returning.
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Adjust PHY FSM transition to TX_EN-to-PLL_ON for TMDS on DCN35 [Why] A backport of the change made for DCN401 that addresses an issue where we turn off the PHY PLL when disabling TMDS output, which causes the OTG to remain stuck. The OTG being stuck can lead to a hang in the DCHVM's ability to ACK invalidations when it thinks the HUBP is still on but it's not receiving global sync. The transition to PLL_ON needs to be atomic as there's no guarantee that the thread isn't pre-empted or is able to complete before the IOMMU watchdog times out. [How] Backport the implementation from dcn401 back to dcn35. There's a functional difference in when the eDP output is disabled in dcn401 code so we don't want to utilize it directly.
In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.
In the Linux kernel, the following vulnerability has been resolved: media: ipu6: Fix RPM reference leak in probe error paths Several error paths in ipu6_pci_probe() were jumping directly to out_ipu6_bus_del_devices without releasing the runtime PM reference. Add pm_runtime_put_sync() before cleaning up other resources.
In the Linux kernel, the following vulnerability has been resolved: clk: rs9: Reserve 8 struct clk_hw slots for for 9FGV0841 The 9FGV0841 has 8 outputs and registers 8 struct clk_hw, make sure there are 8 slots for those newly registered clk_hw pointers, else there is going to be out of bounds write when pointers 4..7 are set into struct rs9_driver_data .clk_dif[4..7] field. Since there are other structure members past this struct clk_hw pointer array, writing to .clk_dif[4..7] fields corrupts both the struct rs9_driver_data content and data around it, sometimes without crashing the kernel. However, the kernel does surely crash when the driver is unbound or during suspend. Fix this, increase the struct clk_hw pointer array size to the maximum output count of 9FGV0841, which is the biggest chip that is supported by this driver.
In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix post open error handling Closing a queue doesn't guarantee that all associated page pools are terminated right away, let the refcounting do the work instead of releasing the zcrx ctx directly.
Kernel panic occurs in Linux kernel USB gadget driver (dwc3) when vbus_draw function executes PMIC power-supply APIs from atomic context, causing sleep operations in non-sleepable context. The vulnerability affects Linux kernel versions prior to 5.13 and various stable series (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0) and is resolved by deferring vbus_draw operations to workqueue context. Local authenticated users with privilege level PR:L can trigger denial of service by invoking affected USB gadget functionality, with EPSS exploitation probability at 0.02% percentile indicating extremely low practical risk despite moderate CVSS severity.
Denial of service via kernel panic in the DRM buddy allocator when rounded allocation sizes exceed available memory. Local authenticated attackers can trigger a BUG_ON() crash by requesting contiguous or large-aligned GPU memory allocations that, after power-of-two or block-size rounding, exceed the total VRAM size. Example: a 9GB contiguous allocation request on 10GB VRAM rounds to 16GB, causing immediate kernel panic. No authentication bypass or privilege escalation; requires local access and appropriate user permissions to invoke DRM allocator.
Resource leak in Linux kernel xfrm (IPsec) subsystem allows local authenticated users to exhaust kernel memory and trigger denial of service by preventing proper cleanup of IPsec hardware offload device references during network device unregistration. The vulnerability affects XFRM state management when IPsec hardware offloading is configured, particularly when the hardware offload capability (NETIF_F_HW_ESP) is disabled after state creation but before device removal.
Hard-lock denial of service in the Linux kernel's Intel VT-d IOMMU subsystem affects systems running PCIe passthrough configurations (QEMU, DPDK) without scalable mode enabled. When a PCIe endpoint's link drops - through surprise removal, link fault, or process termination - the kernel enters an indefinite wait inside qi_submit_sync() attempting an ATS invalidation that the disconnected device can never acknowledge. The existing partial fix (commit 4fc82cd907ac) guards this path only when Intel IOMMU scalable mode is active, leaving non-scalable-mode deployments unprotected. No public exploit identified at time of analysis and EPSS is 0.02%, but the impact is a complete host freeze with no recovery path short of power cycling.
In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix NULL pointer dereference If there's a mismatch between the DAI links in the machine driver and the topology, it is possible that the playback/capture widget is not set, especially in the case of loopback capture for echo reference where we use the dummy DAI link. Return the error when the widget is not set to avoid a null pointer dereference like below when the topology is broken. RIP: 0010:hda_dai_get_ops.isra.0+0x14/0xa0 [snd_sof_intel_hda_common]
Null pointer dereference in the Linux kernel AMD power management (drm/amd/pm) subsystem causes denial of service when SMU (System Management Unit) is disabled during RAS (Reliability, Availability, and Serviceability) initialization. Local authenticated attackers with low privileges can trigger this crash on affected systems, resulting in kernel panic and system unavailability. EPSS exploitation probability is very low (0.02%), indicating this requires specific configuration and local access.
Linux kernel page fault in ima_restore_measurement_list() when the second-stage kernel is booted via kexec with memory-limiting command lines such as 'mem=<size>' allows local authenticated users to cause a denial of service by triggering an out-of-bounds memory access. The vulnerability occurs on x86_64 architectures when the IMA measurement buffer from the previous kernel falls outside the addressable RAM of the new kernel, resulting in a kernel panic during early IMA restoration.
Memory leak in rtw88 WiFi driver allows local authenticated attackers to cause denial of service via supported band allocation failure. The rtw_set_supported_band() function in the rtl8821ce WiFi driver failed to free allocated memory in error paths during hardware registration, enabling a local privilege escalation attack that exhausts kernel memory. EPSS exploitation probability is very low (0.02%), indicating this is a hardening fix rather than a critical vulnerability.
Resource leak in Linux kernel's most_register_interface() function allows local attackers with low privileges to cause denial of service through memory exhaustion. The vulnerability occurs when most_register_interface() fails during early initialization stages, returning error codes without properly releasing allocated device resources via put_device(). Patch versions 6.12.75, 6.18.16, 6.19.6, and 7.0 address this issue.
Data race conditions in the Linux kernel Bluetooth subsystem allow local authenticated attackers to cause denial of service by triggering concurrent access to hdev->req_status without proper synchronization. The vulnerability exists in the HCI synchronous command processing path where __hci_cmd_sync_sk() and multiple other functions access the same variable across different workqueues without holding locks, potentially causing memory corruption or system hangs.
Denial of service in Linux kernel tiny SRCU (Synchronize-RCU) subsystem allows local authenticated attackers to trigger a system hang or crash by invoking call_srcu() while holding scheduler locks, causing a circular lock dependency and potential deadlock. The vulnerability affects kernel versions before 6.19.14 and 7.0, with EPSS score of 0.02% indicating low real-world exploitation probability despite moderate CVSS severity.
A denial of service vulnerability in the Linux kernel's Qualcomm PD mapper service registry causes system crashes due to mismatched string element length validation in servreg_loc_pfr_req_ei. When a process daemon crashes and triggers a service registry location request, the QMI decoder rejects the reason field because its declared maximum length (65 bytes) is smaller than the actual field size (81 bytes), causing a decoding error and system halt. This affects all Linux kernel versions prior to the patch, triggered by local processes with standard user privileges.
Denial of service in Linux kernel xfrm (IPsec transform) subsystem allows local authenticated attackers to trigger a kernel panic via improper netlink message size calculation when handling XFRM_MSG_GETAE requests for states with interface ID set. The xfrm_aevent_msgsize() function fails to account for XFRMA_IF_ID attribute space, causing build_aevent() to exceed buffer bounds and hit a BUG_ON assertion, resulting in kernel crash. EPSS exploitation probability is very low at 0.02% despite the local attack vector, suggesting limited real-world impact.
Memory leak in the Linux kernel's Direct Rendering Manager (DRM) vc4 driver allows local authenticated attackers to exhaust kernel memory and trigger a denial of service condition. The vulnerability stems from a missing kfree() call in vc4_free_hang_state() that fails to release a separately allocated BO (buffer object) array, enabling persistent memory exhaustion through repeated hang state operations.
Memory leak in the Linux kernel's vc4 DRM driver allows local authenticated attackers to cause denial of service via memory exhaustion in hang state error handling. The vc4_save_hang_state() function fails to free allocated kernel_state memory on early return paths, enabling a local user with limited privileges to trigger repeated memory leaks and degrade system availability.
Denial of service in Linux kernel lapbether driver allows local authenticated attackers to crash the system by triggering a device type change that violates the ARPHRD_ETHER requirement when transmitting data. The vulnerability exists in the lapbeth_data_transmit() function which assumes the underlying device type remains Ethernet; a local user with low privileges can manipulate the bonding driver to change the device type, causing the kernel to reach an unhandled state and crash. EPSS score of 0.02% indicates low real-world exploitation probability despite the vulnerability being patched across multiple kernel versions.
Denial of service via NULL pointer dereference in the NFC s3fwrn5 driver's UART receive handler allows local authenticated attackers to crash the system. The vulnerability exists in s3fwrn82_uart_read() which consumes bytes from the serial device before allocating a fresh receive buffer; if memory allocation fails after bytes are already consumed, the function incorrectly reports success while leaving the receive buffer NULL, causing a NULL dereference on the next skb_put_u8() call. This affects Linux kernel versions 5.11 and later, with patches available for stable branches 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Linux kernel ASoC SDCA subsystem crashes on sound card teardown due to IRQ lifecycle mismanagement, causing a local denial of service. IRQ handlers registered via devm_request_threaded_irq() during component probe retain stale references to freed card and kcontrol structures after the sound card is torn down, resulting in null or dangling pointer dereferences and kernel panic. Exploitation requires local low-privilege access and SDCA-capable audio hardware; no public exploit exists and EPSS is extremely low at 0.02% (5th percentile).
NULL pointer dereference in the Linux kernel ixgbevf driver crashes Hyper-V guest VMs during device probe, causing a kernel panic and complete denial of service. The regression was introduced when commit a7075f501bd3 added a .negotiate_features callback to ixgbe_mac_operations and populated it for the standard ops table (ixgbevf_mac_ops) but omitted it from the Hyper-V-specific table (ixgbevf_hv_mac_ops), leaving that pointer NULL on Hyper-V guests. Any Linux system running on Microsoft Hyper-V with an Intel ixgbevf virtual NIC is subject to an automatic kernel crash at module load or boot; no public exploit has been identified at time of analysis and EPSS is 0.02%, reflecting a narrow but reliable impact on the specific deployment combination.
The AF_XDP socket subsystem (xsk) in the Linux kernel fails to validate that a network device's MTU fits within the usable UMEM frame space at bind time, allowing a local low-privileged user to trigger a kernel denial of service. Usable frame space - chunk size minus headroom and tailroom - can fall below a standard 1500-byte MTU when 2k chunks are used, a gap that became exploitable once tailroom subtraction was introduced. The kernel also omits validation of hardware zero-copy capabilities via net_device::xdp_zc_max_segs. No public exploit has been identified and EPSS is 0.02% (5th percentile), indicating low immediate exploitation risk.
Reference count leak in the Linux kernel's xfrm IPsec subsystem allows a local low-privileged attacker to exhaust kernel memory, resulting in denial of service. The defect resides in xfrm_migrate_policy_find(), where xfrm_pol_hold_rcu() is called twice - once implicitly by the lookup path (which already returns a held reference) and once redundantly - creating a refcount imbalance that prevents memory reclamation. Discovered by the Linux Verification Center using Syzkaller fuzzing; no public exploit identified at time of analysis, and EPSS is very low at 0.02% (5th percentile), indicating minimal observed exploitation activity.
Uninitialized kernel memory is leaked to userspace through the xfrm_user subsystem's build_mapping() function in the Linux Kernel, where a one-byte compiler padding hole in struct xfrm_usersa_id after the proto field is never zeroed before the structure is copied across the kernel/userspace boundary. Authenticated local users with access to XFRM netlink interfaces can read this stale padding byte, potentially extracting kernel stack or heap fragments usable as an information disclosure primitive. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.
Linux kernel PF_KEY IPSEC key management exports leak uninitialized kernel memory via SADB_ACQUIRE, SADB_X_NAT_T_NEW_MAPPING, and SADB_X_MIGRATE messages, allowing local authenticated users to disclose sensitive kernel memory. EPSS score of 0.02% (percentile 5%) indicates minimal real-world exploitation despite patch availability. The 4-byte information leak per message could enable ASLR bypass and kernel address disclosure attacks.
Kernel crash in the Linux pinctrl mcp23s08 driver triggers a NULL pointer dereference during device probe when an MCP23S08/MCP23008 GPIO expander retains non-zero interrupt-on-change state across a warm reboot. The crash occurs because the driver's IRQ handler fires against pins whose nested IRQ handlers have not yet been registered, causing an unhandled kernel oops and system denial of service. Exploitation is local and device-specific; no public exploit identified at time of analysis, and EPSS remains at 0.02% (5th percentile) consistent with no observed in-the-wild triggering.
NULL pointer dereference in the Linux kernel IPVS subsystem causes a kernel panic during IPVS service creation failure cleanup, resulting in a full host denial of service. Affected kernels from 6.2 onward contain a logic error in ip_vs_add_service() where a successful scheduler bind sets the local sched variable to NULL; if ip_vs_start_estimator() subsequently fails, the error path calls ip_vs_unbind_scheduler() with that NULL pointer, dereferencing offset 0x30 and triggering a general protection fault. Exploitation requires local authenticated access with CAP_NET_ADMIN privileges; no public exploit is identified and EPSS is 0.02%, indicating very low exploitation probability.
Kernel heap memory disclosure in Linux netfilter's nfnetlink_log subsystem exposes four bytes of stale kernel memory to unprivileged local userspace processes when NFLOG batch mode is active. The flaw exists in __nfulnl_send(), which appends an NLMSG_DONE terminator using nlmsg_put() - a helper that zero-pads alignment bytes but does not initialize the nfgenmsg payload itself - resulting in uninitialized kernel heap data transmitted to any userspace NFLOG consumer. No public exploit code exists and no active exploitation has been confirmed; however, CVSS vector AV:L/AC:L/PR:L signals that low-privileged local users can reliably trigger the leak without any special conditions beyond NFLOG batching being in use.
Denial-of-service via off-by-one allocation in the Linux kernel txgbe network driver allows a local low-privileged user to crash the kernel on systems hosting Wangxun 10GbE NICs. The driver allocates property_entry struct lists without reserving the mandatory null-terminator sentinel slot, meaning kernel subsystems iterating over the list read beyond allocated memory bounds. No active exploitation has been identified and EPSS is extremely low (0.02%, 5th percentile), but patches are available across multiple stable kernel branches including 6.6.136, 6.12.83, 6.18.24, 6.19.14, and 7.0.
Incorrect GENERIC_CMD register field masks in the Linux kernel's IPA (IP Accelerator) network driver for IPA v5.0+ hardware trigger a kernel WARN when a 'stop' command is sent to the MPSS (Modem Processor SubSystem) remoteproc while IPA is active. This availability-only vulnerability (CVSS C:N/I:N/A:H) affects authenticated local users on systems with Qualcomm IPA v5.0+ silicon. No public exploit exists and no KEV listing is present; with an EPSS of 0.02% this is a low-urgency stability fix rather than an active threat.
Integer overflow in the Linux kernel's l2tp subsystem allows a local low-privileged attacker to cause a denial of service by sending oversized packets through a PPPoL2TP socket with UDP encapsulation. In l2tp_xmit_core() (net/l2tp/l2tp_core.c:1293), the UDP length field - constrained to 16 bits - is assigned a packet length value without any bounds check, silently truncating values exceeding 65535 bytes and producing malformed UDP frames on the wire or triggering a kernel WARN. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but a syzbot reproducer is publicly documented in the upstream patch discussion.
Out-of-bounds array write in the Linux kernel's Intel uncore PMU driver (`perf/x86/intel/uncore`) causes denial of service on affected Intel multi-die x86 systems. The driver fails to skip discovery table parsing for dies whose CPUs are all offline at boot, allowing the assignment `pmu->boxes[die] = box` in `uncore_pci_pmu_register()` to overflow the boxes array, triggering a kernel WARN or potential memory corruption. Exploitation requires local low-privilege access under a specific hardware and boot configuration; no public exploit exists and EPSS is 0.02%, indicating negligible real-world exploitation likelihood.
NULL pointer dereference in the Linux kernel's amdgpu RAS (Reliability, Availability, and Serviceability) driver crashes the kernel when a local user reads the sysfs badpages interface on a system whose AMD GPU EEPROM contains only invalid address entries. The driver skips RAS data allocation under this condition, and the subsequent read of `amdgpu_ras_sysfs_badpages_read` dereferences the uninitialized pointer, producing a kernel panic and complete denial of service. No public exploit exists and no active exploitation has been identified; EPSS is 0.02% (4th percentile), reflecting very low real-world risk.
Memory exhaustion denial-of-service in the Linux kernel's ti_fpc202 misc driver allows a local low-privileged user to degrade system availability through a memory leak introduced in the probe function. The root cause is improper release of device tree child node references during driver initialization when iterating over nodes, classified as CWE-401 (Missing Release of Memory after Effective Lifetime). No active exploitation is confirmed - no public exploit identified at time of analysis - and the extremely low EPSS score of 0.02% (4th percentile) reflects the niche hardware dependency and local-only attack surface.
Null pointer dereference in the Linux kernel QRTR (Qualcomm IPC Router) driver via MHI auto_queue feature causes denial of service on Qualcomm X1E80100 CRD machines during boot. The vulnerability occurs when the MHI stack invokes the DL (downlink) callback before the QRTR client driver is fully probed, accessing uninitialized driver structures. A local privileged attacker can trigger kernel panic by exploiting the race condition between MHI buffer auto-queuing and driver initialization, affecting systems relying on QRTR over MHI transport.
In the Linux kernel, the following vulnerability has been resolved: RDMA/ionic: Fix potential NULL pointer dereference in ionic_query_port The function ionic_query_port() calls ib_device_get_netdev() without checking the return value which could lead to NULL pointer dereference, Fix it by checking the return value and return -ENODEV if the 'ndev' is NULL.
In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix possible dereference of uninitialized pointer There is a pointer head_page in rb_meta_validate_events() which is not initialized at the beginning of a function. This pointer can be dereferenced if there is a failure during reader page validation. In this case the control is passed to "invalid" label where the pointer is dereferenced in a loop. To fix the issue initialize orig_head and head_page before calling rb_validate_buffer. Found by Linux Verification Center (linuxtesting.org) with SVACE.
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix potential zero beacon interval in beacon tracking During fuzz testing, it was discovered that bss_conf->beacon_int might be zero, which could result in a division by zero error in subsequent calculations. Set a default value of 100 TU if the interval is zero to ensure stability.