Skip to main content

Linux Kernel CVE-2026-31749

| EUVDEUVD-2026-26562 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-01 Linux
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 21:45 vuln.today
CVSS changed
May 07, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26562
CVE Published
May 01, 2026 - 14:14 nvd
MEDIUM 5.5
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

comedi: ni_atmio16d: Fix invalid clean-up after failed attach

If the driver's COMEDI "attach" handler function (atmio16d_attach()) returns an error, the COMEDI core will call the driver's "detach" handler function (atmio16d_detach()) to clean up. This calls reset_atmio16d() unconditionally, but depending on where the error occurred in the attach handler, the device may not have been sufficiently initialized to call reset_atmio16d(). It uses dev->iobase as the I/O port base address and dev->private as the pointer to the COMEDI device's private data structure. dev->iobase may still be set to its initial value of 0, which would result in undesired writes to low I/O port addresses. dev->private may still be NULL, which would result in null pointer dereferences.

Fix atmio16d_detach() by checking that dev->private is valid (non-null) before calling reset_atmio16d(). This implies that dev->iobase was set correctly since that is set up before dev->private.

AnalysisAI

Null pointer dereference and invalid I/O port writes in the Linux kernel's comedi ni_atmio16d driver occur when the device attach handler fails, causing the detach handler to call reset_atmio16d() with uninitialized device state. Local privileged attackers can trigger a denial of service by causing attach to fail, resulting in kernel memory access violations or writes to address zero. No public exploit code or active exploitation has been identified; patch versions are available from the Linux kernel stable branches.

Technical ContextAI

The vulnerability exists in the COMEDI (Control and Measurement Device Interface) subsystem's National Instruments ATMIO16D driver module. The comedi framework expects drivers to implement attach and detach handlers; if attach fails, the core automatically invokes detach for cleanup. The ni_atmio16d driver's detach function (atmio16d_detach) unconditionally calls reset_atmio16d(), which reads dev->iobase (I/O port base address) and dev->private (pointer to driver-private data). If attach fails early, dev->iobase may remain at its initialized value of 0 and dev->private may be NULL. This creates two failure modes: writing to I/O port 0 (undesired I/O operations) and dereferencing a NULL pointer (kernel panic). The root cause is CWE-476 (Null Pointer Dereference) combined with insufficient state validation in the error path.

RemediationAI

Apply the vendor-released kernel patch by upgrading to a patched stable version: Linux 6.12.81 or later for 6.12.x users, 6.11.x users should upgrade to 6.12.81 or later, 6.6.134 or later for 6.6.x, 6.1.168 or later for 6.1.x, 5.15.203 or later for 5.15.x, or 5.10.253 or later for 5.10.x. The fix adds a NULL check for dev->private before calling reset_atmio16d() in atmio16d_detach(). For systems unable to immediately patch, temporarily disable the ni_atmio16d driver module (modprobe -r ni_atmio16d) if not required for production data acquisition; this eliminates the attack surface but halts ATMIO16D functionality. Alternatively, restrict access to device initialization paths using SELinux or AppArmor to prevent unprivileged users from triggering attach-time errors. The patch introduces minimal overhead (one pointer comparison) with no functional side effects. Upstream fixes are available at kernel.org stable branches referenced in the git commit links provided.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31749 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy