Skip to main content

Linux Kernel CVE-2026-45877

| EUVDEUVD-2026-32343 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-69w2-j9pm-3jxm
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

Race condition requires specific timing between warm reset and client enumeration (AC:H); local low-privilege access needed per kernel workqueue context; pure availability impact via kernel panic.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:28 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]

AnalysisAI

NULL pointer dereference in the Linux kernel's Intel ISH HID subsystem (intel_ishtp module) causes a kernel panic and local denial of service during warm reset operations. The ishtp_bus_remove_all_clients() function dereferences cl->device->reference_count without a NULL guard, which is reachable when a firmware reset interrupts ISH client enumeration mid-flight. No public exploit or active exploitation (CISA KEV) exists; EPSS probability is 0.02% at the 5th percentile, consistent with a timing-dependent, hardware-specific kernel crash path.

Technical ContextAI

The vulnerable component is the Intel Integrated Sensor Hub (ISH) HID driver, implemented across the intel_ishtp and intel_ish_ipc kernel modules. ISH is a dedicated microcontroller embedded in Intel SoCs (laptops, 2-in-1s) that aggregates sensor data (accelerometer, gyroscope, ambient light) via the ISHTP (ISH Transport Protocol) bus. The vulnerability is CWE-476 (NULL Pointer Dereference): during ishtp_bus_remove_all_clients(), the per-client cl->device pointer is assumed non-NULL, but a concurrent warm reset via the ish_fw_update_wq workqueue can interrupt client enumeration before cl->device is assigned. KASAN confirms the null-deref range [0x0000000000000000-0x0000000000000007], consistent with a zero-offset struct member access on a NULL pointer. CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - affects all Linux kernel versions from the introduction of the vulnerable code at commit 3703f53b99e4a7c373ce3568dd3f91f175ebb626 through the stable series patched in 6.12.75, 6.18.14, and 6.19.4.

RemediationAI

Vendor-released patches are confirmed available across multiple stable branches: upgrade to Linux 6.19.4 (commit 56f7db581ee73af53cd512e00a6261a025bf1d58 at https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58), Linux 6.18.14 (commit feb4bcfd405282de60aba321f13a1272b30c5af4 at https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4), or Linux 6.12.75 (commit 0b605e8ce60698c27a26f512968a597fd620d2e8 at https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8). Distribution kernels (RHEL, Ubuntu, SUSE) should be updated once vendors backport these fixes. If immediate patching is not feasible, unloading the intel_ishtp and intel_ish_ipc kernel modules via modprobe -r intel_ishtp intel_ish_ipc eliminates the vulnerable code path entirely, at the cost of disabling all Intel ISH sensor functionality (ambient light, accelerometer, gyroscope on affected devices). Minimizing warm reset frequency during firmware update windows is an operational workaround but does not eliminate the race condition.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

CVE-2026-45877 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy