Skip to main content

Linux Kernel CVE-2026-46092

| EUVDEUVD-2026-32475 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wxwq-c95x-686r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

AV:L because physical PCIe hardware is required; PR:L for module-load capability; only kernel availability is impacted via deterministic panic.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 25, 2026 - 21:37 vuln.today
CVSS changed
Jun 25, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
MEDIUM 5.5
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

wifi: rtw88: check for PCI upstream bridge existence

pci_upstream_bridge() returns NULL if the device is on a root bus. If 8821CE is installed in the system with such a PCI topology, the probing routine will crash. This has probably been unnoticed as 8821CE is mostly supplied in laptops where there is a PCI-to-PCI bridge located upstream from the device. However the card might be installed on a system with different configuration.

Check if the bridge does exist for the specific workaround to be applied.

Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.

AnalysisAI

Null pointer dereference in the Linux kernel rtw88 PCIe WiFi driver for the Realtek 8821CE adapter crashes the kernel during driver probing when the card is installed directly on a root PCI bus without an upstream PCI-to-PCI bridge. The defect was discovered via Svace static analysis by the Linux Verification Center - not through active exploitation - and no public exploit has been identified at time of analysis. EPSS of 0.02% (5th percentile) reflects the highly hardware-specific triggering condition, though the crash is deterministic when that condition is met.

Technical ContextAI

The affected component is the rtw88_pci kernel module, which drives Realtek 8821CE 802.11ac PCIe WiFi adapters, as identified by CPE cpe:2.3:o:linux:linux_kernel:*. The Linux PCI subsystem helper pci_upstream_bridge() is designed to return a pointer to the device's upstream bridge; however, per the kernel API contract, it returns NULL when the device is attached directly to the root PCI bus with no intervening PCI-to-PCI bridge. The rtw88 driver's probe routine passed this return value to a bridge-specific workaround path without first validating it for NULL, constituting a classic CWE-476 (NULL Pointer Dereference). The crash is triggered unconditionally during module load on affected topologies. The defect went undiscovered because 8821CE is predominantly bundled in laptops - where an upstream bridge is always present - and only manifests on desktops, mini-PCs, or embedded systems with flat PCI topologies. The kernel fix introduces a NULL guard before the workaround is applied, scoped to stable commits in the 5.15, 5.16, and 5.17 stable trees.

RemediationAI

Apply the upstream kernel stable-tree fix at commit eb101d2abdcccb514ca4fccd3b278dd8267374f6, available at https://git.kernel.org/stable/c/eb101d2abdcccb514ca4fccd3b278dd8267374f6. Systems running Linux 5.15.17+, 5.16.3+, or 5.17 with this commit incorporated are protected; confirm with your distribution's security channel as backport timing varies. As a compensating control where an immediate kernel upgrade is not feasible, blacklisting the rtw88_pci module by adding 'blacklist rtw88_pci' to /etc/modprobe.d/rtw88-blacklist.conf and regenerating the initramfs will prevent the crash at boot; the trade-off is that the 8821CE WiFi adapter will be non-functional until the patched kernel is applied. No other workaround eliminates the NULL dereference without disabling the driver. The VulDB advisory at https://vuldb.com/vuln/366310 may carry additional distribution-specific patch tracking.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy