Skip to main content

Linux Kernel CVE-2026-45968

| EUVDEUVD-2026-32252 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-2g8g-2643-4335
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges suffice to trigger idle paths; crash yields complete availability loss with zero confidentiality or integrity impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 05:00 vuln.today
CVSS changed
Jun 16, 2026 - 02:52 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

cpuidle: Skip governor when only one idle state is available

On certain platforms (PowerNV systems without a power-mgt DT node), cpuidle may register only a single idle state. In cases where that single state is a polling state (state 0), the ladder governor may incorrectly treat state 1 as the first usable state and pass an out-of-bounds index. This can lead to a NULL enter callback being invoked, ultimately resulting in a system crash.

[ 13.342636] cpuidle-powernv : Only Snooze is available [ 13.351854] Faulting instruction address: 0x00000000 [ 13.376489] NIP [0000000000000000] 0x0 [ 13.378351] LR [c000000001e01974] cpuidle_enter_state+0x2c4/0x668

Fix this by adding a bail-out in cpuidle_select() that returns state 0 directly when state_count <= 1, bypassing the governor and keeping the tick running.

AnalysisAI

Null pointer dereference in the Linux kernel's cpuidle ladder governor crashes PowerNV systems when only a single idle state is registered - the governor incorrectly indexes into state 1 as if it were the first usable non-polling state, resulting in a NULL enter callback invocation and immediate kernel panic. Systems running IBM PowerNV hardware without a power-mgt device tree node are specifically at risk, as this firmware configuration causes cpuidle to register only the polling state (state 0). No public exploit code exists and EPSS probability is 0.02% (7th percentile), reflecting this is a platform-specific availability issue rather than a broadly exploitable attack surface; it is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the Linux kernel's cpuidle subsystem, specifically in the ladder governor's state selection logic within cpuidle_select(). On PowerNV (IBM POWER Non-Virtualized) platforms without a power-mgt device tree node, cpuidle registers only a single idle state - the polling state at index 0. The ladder governor incorrectly assumes at least two states exist and begins iteration from index 1, which is an out-of-bounds access when state_count <= 1. This triggers a CWE-476 NULL pointer dereference when the governor attempts to invoke the enter callback for the nonexistent state 1, confirmed by the kernel fault at instruction address 0x00000000. The fix inserts an early return in cpuidle_select() to bypass the governor entirely and return state 0 directly when state_count <= 1, keeping the tick running. Affected CPE is cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* across multiple stable branches.

RemediationAI

Upgrade the Linux kernel to a patched stable release: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, or 7.0. Upstream fixes are available via the kernel stable tree at git.kernel.org (see commits 4da2b897, 5c577ac9, 5d103a38, 63ae7833, 8f6833d9, a0724e40, a0f7e804, and e5c9ffc6). Distribution-specific kernel updates from Red Hat, SUSE, Debian, and Ubuntu should be monitored for backported fixes. As an immediate compensating control on unpatched PowerNV systems, booting with the kernel parameter cpuidle.off=1 disables the cpuidle subsystem entirely and prevents the crash, though this sacrifices CPU power management efficiency and may increase power draw and thermal load. Alternatively, adding a power-mgt device tree node to the platform firmware causes cpuidle to register additional idle states, eliminating the single-state edge case without disabling cpuidle; this requires firmware modification and platform vendor support.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-45968 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy