Skip to main content

Linux Kernel CVE-2026-31544

| EUVDEUVD-2026-25437 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-24 Linux GHSA-fc2q-2cf4-p9xr
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
Apr 28, 2026 - 18:37 vuln.today
CVSS changed
Apr 28, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch released
Apr 28, 2026 - 18:32 nvd
Patch available
Patch available
Apr 24, 2026 - 16:01 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25437
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:33 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Fix NULL dereference on notify error path

Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events") the call chains leading to the helper __scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to get an handler for the requested event key, while the current helper can still return a NULL when no handler could be found or created.

Fix by forcing an ERR_PTR return value when the handler reference is NULL.

AnalysisAI

A NULL pointer dereference in the Linux kernel ARM SCMI firmware driver allows local authenticated users to trigger a denial of service by causing the system to crash. The vulnerability exists in the __scmi_event_handler_get_ops helper function, which can return NULL instead of the expected ERR_PTR on failure, causing downstream code to dereference a NULL pointer when handling unsupported SCMI events. The flaw was introduced in commit b5daf93b809d1 and affects multiple stable kernel versions; patches are available in Linux 6.18.20, 6.19.10, and 7.0.

Technical ContextAI

The Linux kernel ARM SCMI (System Control and Management Interface) firmware driver provides communication between the operating system and firmware for system management operations. The vulnerability resides in the firmware notification handler subsystem, specifically in the __scmi_event_handler_get_ops function within drivers/firmware/arm_scmi/notify.c. After commit b5daf93b809d1, callers of this function expect an ERR_PTR (error pointer) to be returned on failure, allowing proper error checking via IS_ERR() macros. However, the function can still return NULL when no handler is found or created, which causes NULL pointer dereference (CWE-476) when downstream code attempts to dereference the returned pointer without checking for NULL. The root cause is a type inconsistency in the error signaling mechanism: the function should consistently use ERR_PTR for all failure cases, not mix NULL and ERR_PTR returns.

RemediationAI

Update to patched kernel versions: Linux 6.18.20, 6.19.10, or 7.0, whichever aligns with your stable release branch. Users on older stable branches (6.17 or earlier) should cherry-pick the fix commit (70d9bd9a2e683afe6200b0c20af22f06f1a199a4, 8414d2800c34528467df23ce6192c254a73e4459, or 555317d6100164748f7d09f80142739bd29f0cda) into their kernel source and rebuild. The fix modifies __scmi_event_handler_get_ops to return ERR_PTR(-ENODEV) instead of NULL when no handler is found, ensuring consistent error handling throughout the SCMI notification chain. For systems that cannot immediately patch, restrict local user access via principle of least privilege: disable non-essential user accounts, enforce strong authentication, and limit shell access to trusted administrators. Monitor kernel logs for SCMI-related errors or unexpected crashes, which may indicate exploitation attempts. Since the vulnerability requires local authenticated access, network-facing mitigations are not applicable; focus hardening efforts on local access controls and privilege escalation vectors.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy