Skip to main content

Linux Kernel CVE-2026-46016

| EUVDEUVD-2026-32397 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v524-rc9g-rq8g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local-only trigger (AV:L) on Xilinx-specific hardware; standard user sufficient (PR:L); kernel crash is the sole impact (A:H), with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 16, 2026 - 15:59 vuln.today
CVSS changed
Jun 16, 2026 - 15:37 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

remoteproc: xlnx: Only access buffer information if IPI is buffered

In the receive callback check if message is NULL to prevent possibility of crash by NULL pointer dereferencing.

AnalysisAI

NULL pointer dereference in the Linux kernel's Xilinx remoteproc (xlnx) IPI receive callback enables a local low-privileged user to crash the kernel on Xilinx SoC-based systems. The receive callback unconditionally accesses buffer information without first validating whether the message pointer is NULL, which occurs when IPI is operating in non-buffered mode. No public exploit exists and no active exploitation is confirmed; with EPSS at 0.02% (5th percentile), real-world risk is very low and hardware-specific.

Technical ContextAI

The flaw resides in the Linux kernel remoteproc subsystem's Xilinx-specific driver (xlnx_r5_remoteproc), which manages Cortex-R5 Real-Time Processing Unit (RPU) firmware lifecycle on Xilinx/AMD SoCs such as Zynq UltraScale+ MPSoC and Versal. IPI (Inter-Processor Interrupt) is the low-latency communication channel between the Application Processing Unit (APU) and the RPU. When an IPI message is received, a callback is invoked to process the incoming data. The bug - classified as CWE-476 (NULL Pointer Dereference) - is that the callback dereferences the message pointer to access buffer information without a prior NULL check, which is reachable when the IPI channel is not buffered and delivers a NULL message. The affected CPE cpe:2.3:o:linux:linux_kernel:* spans multiple stable branches, but the driver is only compiled in on Xilinx-targeted kernels, sharply limiting the population of affected systems.

RemediationAI

The primary remediation is to upgrade to a patched Linux kernel version: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or 7.1-rc1 or later. Stable fix commits are published at https://git.kernel.org/stable/c/06d0bed2552fd0dae27d374d4492a2b672e24eed, https://git.kernel.org/stable/c/38dd6ccfdfbbe865569a52fe1ba9fa1478f672e6, https://git.kernel.org/stable/c/5d1451cb2cf6f3d9884d76035a1460aa9bb4b053, https://git.kernel.org/stable/c/7ddbf21116770b7011f2bb0a6056b7604b24c497, and https://git.kernel.org/stable/c/8242579859a78c801bb626e9aa4823aca93e28e7. On systems where the Xilinx remoteproc functionality is not required, the xlnx_r5_remoteproc kernel module can be blacklisted (add blacklist xlnx_r5_remoteproc to /etc/modprobe.d/) or disabled at build time; this eliminates the attack surface entirely with no impact on non-Xilinx workloads. On production Xilinx SoC deployments where the RPU subsystem is in active use and immediate patching is not feasible, restrict local shell access to the minimum set of trusted users to reduce the likelihood of deliberate triggering.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy