Skip to main content

Linux Kernel CVE-2026-43401

| EUVDEUVD-2026-28707 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-j7hx-vp8g-c83p
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 21, 2026 - 19:39 vuln.today
CVSS changed
May 21, 2026 - 19:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()

The update_cpu_qos_request() function attempts to initialize the 'freq' variable by dereferencing 'cpudata' before verifying if the 'policy' is valid.

This issue occurs on systems booted with the "nosmt" parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer.

Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the 'freq' variable, so it is better to defer the 'freq' until intel_pstate_get_hwp_cap() has been called.

Fix this by deferring the 'freq' assignment until after the policy and driver_data have been validated.

[ rjw: Added one paragraph to the changelog ]

AnalysisAI

NULL pointer dereference in the Linux kernel's intel_pstate cpufreq driver crashes systems booted with the 'nosmt' parameter when CPU QoS requests are processed for SMT sibling threads. On 'nosmt'-booted systems, all_cpu_data[cpu] is NULL for disabled SMT siblings; update_cpu_qos_request() dereferences cpudata->pstate.turbo_freq before validating the policy pointer, producing a kernel panic and local denial of service. EPSS at 0.02% (4th percentile) reflects very low exploitation probability, no public exploit code has been identified, and no CISA KEV listing exists at time of analysis.

Technical ContextAI

The vulnerable code resides in the intel_pstate driver within the Linux kernel's cpufreq subsystem, which manages Intel CPU frequency scaling via Hardware-Controlled Performance (HWP). When the kernel is booted with the 'nosmt' parameter, SMT sibling CPU entries in the all_cpu_data[] array are left as NULL because those logical CPUs are disabled. The function update_cpu_qos_request() prematurely reads cpudata->pstate.turbo_freq to initialize the 'freq' variable before confirming that the associated cpufreq policy and driver_data are valid - a textbook CWE-476 (NULL Pointer Dereference) root cause. A secondary ordering issue compounds the bug: pstate.turbo_freq may be subsequently updated by intel_pstate_get_hwp_cap(), making the early 'freq' initialization stale even on non-NULL cpudata. The upstream fix defers the 'freq' assignment until after both policy and driver_data validation, and until after intel_pstate_get_hwp_cap() has been called. CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade the Linux kernel to a patched version: 6.18.19 or later for systems on the 6.18 stable series, 6.19.9 or later for systems on the 6.19 series, or 7.0 and later. Upstream fix commits are available at https://git.kernel.org/stable/c/6bfda7ce56e7d14a677b7bcd6c7a5009cc29aa88, https://git.kernel.org/stable/c/42738dffb7b0766a45882dff7989401d78f66f92, and https://git.kernel.org/stable/c/ab39cc4cb8ceecdc2b61747433e7237f1ac2b789. For systems that cannot be immediately patched, removing the 'nosmt' kernel boot parameter eliminates the NULL cpudata condition entirely - this re-enables SMT siblings and removes the vulnerability trigger, but restores SMT which may have been disabled for security reasons (e.g., Spectre/MDS mitigations). Alternatively, if 'nosmt' must remain, disabling the intel_pstate driver via the 'intel_pstate=disable' boot parameter prevents the vulnerable code path from being reached; note this reverts frequency scaling to acpi-cpufreq, potentially reducing power efficiency and fine-grained performance tuning on Intel HWP-capable systems.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy