Skip to main content

Linux Kernel CVE-2026-31744

| EUVDEUVD-2026-26557 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:38 vuln.today
CVSS changed
May 07, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26557
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

PM: EM: Fix NULL pointer dereference when perf domain ID is not found

dev_energymodel_nl_get_perf_domains_doit() calls em_perf_domain_get_by_id() but does not check the return value before passing it to __em_nl_get_pd_size(). When a caller supplies a non-existent perf domain ID, em_perf_domain_get_by_id() returns NULL, and __em_nl_get_pd_size() immediately dereferences pd->cpus (struct offset 0x30), causing a NULL pointer dereference.

The sister handler dev_energymodel_nl_get_perf_table_doit() already handles this correctly via __em_nl_get_pd_table_id(), which returns NULL and causes the caller to return -EINVAL. Add the same NULL check in the get-perf-domains do handler.

[ rjw: Subject and changelog edits ]

AnalysisAI

Denial of service in Linux kernel energy model netlink handler allows local authenticated attackers to crash the system via NULL pointer dereference when requesting non-existent performance domain IDs. The dev_energymodel_nl_get_perf_domains_doit() function fails to validate the return value from em_perf_domain_get_by_id() before dereferencing the performance domain structure, causing immediate kernel panic when an invalid domain ID is supplied. EPSS exploitation probability is very low (0.02%, 5th percentile), and no public exploit code or active exploitation has been identified.

Technical ContextAI

The vulnerability exists in the Linux kernel's Energy Model (EM) subsystem, specifically in the netlink-based device energy model interface. The Energy Model is a power management framework used to estimate energy consumption across CPU performance states. The vulnerable code path is triggered through the dev_energymodel_nl_get_perf_domains_doit() netlink handler, which queries performance domain information via em_perf_domain_get_by_id(). The root cause is a missing NULL pointer check (CWE-476) that was already implemented in the sister function dev_energymodel_nl_get_perf_table_doit(). When em_perf_domain_get_by_id() returns NULL due to an invalid domain ID, the subsequent call to __em_nl_get_pd_size() immediately dereferences pd->cpus at struct offset 0x30 without validation, triggering a kernel NULL pointer dereference and system crash.

RemediationAI

Patch to Linux kernel version 6.19.12 or later, or apply commits ab09b9a1e3b02ff62c5aebe3b12b0cb4cb4ea8ab and 9badc2a84e688be1275bb740942d5f6f51746908 from git.kernel.org/stable. The fix adds a NULL pointer check immediately after calling em_perf_domain_get_by_id() in dev_energymodel_nl_get_perf_domains_doit(), returning -EINVAL if the performance domain is not found, mirroring the existing protection in the sister function. For systems unable to immediately patch, restrict access to netlink sockets used for energy model queries to trusted administrative users only, though this is typically the default configuration. No workarounds beyond kernel upgrade are recommended, as the fix is straightforward and low-risk. See https://git.kernel.org/stable/c/ab09b9a1e3b02ff62c5aebe3b12b0cb4cb4ea8ab and https://git.kernel.org/stable/c/9badc2a84e688be1275bb740942d5f6f51746908 for patch details.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy