Skip to main content

Linux Kernel CVE-2026-45909

| EUVDEUVD-2026-32375 HIGH
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-x3cq-3vgp-fhqq
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.8
Analysis Generated
May 30, 2026 - 11:27 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

clk: mediatek: Drop __initconst from gates

Since commit 8ceff24a754a ("clk: mediatek: clk-gate: Refactor mtk_clk_register_gate to use mtk_gate struct") the mtk_gate structs are no longer just used for initialization/registration, but also at runtime. So drop __initconst annotations.

AnalysisAI

Local privilege escalation potential in the Linux kernel's MediaTek clock gate driver stems from incorrect use of __initconst annotations on mtk_gate structures that are accessed at runtime, not just during initialization. After kernel init completes, the memory backing these structs is freed, so any runtime access reads freed memory - affecting Linux 6.18 prior to stable releases 6.18.14 and 6.19.4. CVSS rates this 7.8 (High) with local attack vector; EPSS is 0.02% and no public exploit identified at time of analysis.

Technical ContextAI

The issue lives in drivers/clk/mediatek (the Common Clock Framework implementation for MediaTek SoCs). Commit 8ceff24a754a refactored mtk_clk_register_gate to consume mtk_gate structs at runtime rather than only at registration, but the structs retained __initconst markings. The __initconst attribute places data in the .init.rodata section, which the kernel discards (frees and may reuse) after boot via free_initmem(). Subsequent runtime accesses therefore touch memory whose contents are undefined or repurposed, producing a use-after-free style memory-safety condition. While no CWE is assigned in the input, this pattern aligns with CWE-416 (Use After Free) / CWE-825 (Expired Pointer Dereference) on freed init memory specific to MediaTek-platform kernels (e.g., ARM64 MediaTek SoCs used in Chromebooks, routers, and Android devices).

RemediationAI

Upstream fix available (commits 866d8ecc, 1debd9ba, 871afb43 on git.kernel.org/stable) - upgrade to Linux 6.18.14 or 6.19.4 or later, which drop the __initconst annotation from mtk_gate structures so the data persists for runtime use. Distribution users should pull the corresponding stable kernel from their vendor (Debian, Ubuntu, Red Hat, ChromeOS, Android Common Kernel) once it rebases onto these stable points. If immediate patching isn't possible on MediaTek-platform devices, compensating controls are limited because the vulnerable code path runs whenever the clock gate driver is touched; restrict local shell/unprivileged code execution on affected devices (e.g., tighten seccomp, disable unnecessary user accounts, block untrusted app installs on Android/ChromeOS variants) - the trade-off is reduced flexibility for legitimate local tooling. Patch commit refs: https://git.kernel.org/stable/c/866d8ecc4e789f7d73d6cafd1b122d1b6032b3b1 , https://git.kernel.org/stable/c/1debd9ba7eb18af8fb63dc93517c6bbcab0e31ee , https://git.kernel.org/stable/c/871afb43e41ad4e8246438de495a939cd0f8113c .

CVE-2017-3216 CRITICAL POC
9.8 Jun 20

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypa

CVE-2019-15027 CRITICAL POC
9.8 Aug 14

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows atta

CVE-2016-6492 HIGH POC
7.8 Jan 12

The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges

CVE-2021-37584 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37583 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37571 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37569 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37568 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37566 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37563 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37561 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37560 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-45909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy