Skip to main content

Linux Kernel CVE-2026-45876

| EUVDEUVD-2026-32342 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-c8fp-ff95-66mv
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege access suffices to trigger GCS allocation failure causing kernel DoS; no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:27 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

arm64/gcs: Fix error handling in arch_set_shadow_stack_status()

alloc_gcs() returns an error-encoded pointer on failure, which comes from do_mmap(), not NULL.

The current NULL check fails to detect errors, which could lead to using an invalid GCS address.

Use IS_ERR_VALUE() to properly detect errors, consistent with the check in gcs_alloc_thread_stack().

AnalysisAI

Error handling failure in the Linux kernel's arm64 Guarded Control Stack (GCS) subsystem allows a local low-privileged user on ARMv9 hardware to trigger a kernel denial of service by exploiting an incorrect NULL check in arch_set_shadow_stack_status(). Because alloc_gcs() propagates do_mmap() failures as error-encoded pointers rather than NULL, the existing guard is bypassed and the kernel proceeds to use an invalid GCS address, risking a kernel panic. No public exploit exists and EPSS sits at the 4th percentile, but the vulnerability is confirmed patched in Linux 6.18.14, 6.19.4, and 7.0.

Technical ContextAI

The vulnerable code resides in the Linux kernel's arm64 GCS (Guarded Control Stack) subsystem, specifically in arch_set_shadow_stack_status() within the arm64 memory management layer. GCS is an ARMv9 architectural security feature that enforces hardware-backed shadow stacks to protect return addresses against control-flow attacks. The internal function alloc_gcs() calls do_mmap() to allocate the shadow stack region; do_mmap() signals failure by returning an error-encoded pointer via the ERR_PTR() convention rather than NULL. The existing check 'if (!ptr)' evaluates to false for these non-NULL error pointers, silently bypassing the error path and allowing the subsequent code to treat an invalid kernel address as a valid GCS. The correct idiom, IS_ERR_VALUE() or IS_ERR(), is already used consistently in the sibling function gcs_alloc_thread_stack() in the same subsystem. CWE-476 (Null Pointer Dereference) approximates the fault class, though the precise mechanism is an improper error-return check on a pointer-encoded error value rather than a true null dereference.

RemediationAI

Upgrade the Linux kernel to version 6.18.14, 6.19.4, or 7.0, which replace the faulty NULL check with IS_ERR_VALUE() in arch_set_shadow_stack_status(), consistent with the already-correct gcs_alloc_thread_stack(). Fix commits are published at https://git.kernel.org/stable/c/53c998527ffa60f9deda8974a11ad39790684159, https://git.kernel.org/stable/c/a4741114c9622346c4bbb8cc2bbd88153616ffaf, and https://git.kernel.org/stable/c/c787a235deb33be6eda40beee8f561da5fd8cb8c. Distribution-specific kernel packages (Debian, Ubuntu, RHEL, etc.) should be monitored for backported fixes to long-term-stable branches. As a compensating control where patching is not immediately feasible, disabling GCS feature usage at the application or kernel configuration level prevents the vulnerable allocation path from being reached, at the cost of losing hardware shadow stack protection. Restricting local user account creation and enforcing least-privilege access policies reduces exposure but does not eliminate it, since PR:L (standard login accounts) is sufficient.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45876 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy