Skip to main content

Linux Kernel CVE-2026-46118

| EUVDEUVD-2026-32877 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g7gx-q434-9vpg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local ioctl trigger (AV:L), no complexity (AC:L), low-privilege user account needed (PR:L), no confidentiality or integrity impact, kernel crash only (A:H).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 24, 2026 - 17:11 vuln.today
CVSS changed
Jun 24, 2026 - 17:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:31 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()

commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list.

Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list. Kernel attempted to write user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x00000000 Faulting instruction address: 0xc0000000001b44a0 Oops: Kernel access of bad area, sig: 11 [#1] ... Call Trace: papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable) sys_ioctl+0x528/0x1064 system_call_exception+0x128/0x360 system_call_vectored_common+0x15c/0x2ec

Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist.

This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.

AnalysisAI

Null pointer dereference in the Linux kernel's pseries/papr-hvpipe subsystem crashes IBM POWER/pSeries hosts via a local ioctl call. The flaw was introduced by commit 6d3789d347a7, which refactored papr_hvpipe_dev_create_handle() to use FD_PREPARE() but left src_info accessible after retain_and_null_ptr() nulled it, causing a write to address 0x0 when the pointer is subsequently used in the global list insertion path. Exploitation requires local low-privileged access on pSeries hardware; no public exploit exists and EPSS is 0.02%, indicating negligible opportunistic exploitation risk.

Technical ContextAI

The papr-hvpipe driver (pseries subsystem) exposes an ioctl-driven interface for IBM POWER hypervisor pipe (hvpipe) source IDs on pSeries guests. The refactor to FD_PREPARE() introduced a use-after-null pattern: retain_and_null_ptr(src_info) zeroes the src_info pointer as part of the file-descriptor preparation cleanup, but downstream code in papr_hvpipe_dev_ioctl() then attempts to write that same nulled pointer into the global list, triggering a CWE-476 NULL Pointer Dereference at kernel address 0xc0000000001b44a0. The fix pre-allocates src_info before list insertion and performs spinlock-protected duplicate checking, simplifying cleanup so that FD_ADD failure merely removes the entry from the list. Affected CPEs are cpe:2.3:o:linux:linux_kernel:* (pSeries configurations), cpe:2.3:o:linux:linux_kernel:6.18.32, cpe:2.3:o:linux:linux_kernel:7.1:rc1, and cpe:2.3:o:linux:linux_kernel:7.1:rc2.

RemediationAI

The primary remediation is to upgrade to a patched kernel version: 6.18.33 for the 6.18 stable series, 7.0.7 for the 7.0 series, or 7.1-rc3 or later for mainline. Patches are available via the kernel stable tree at the git.kernel.org links in the references. Distribution vendors (Red Hat, SUSE, Ubuntu, etc.) tracking these stable branches should be consulted for distribution-specific kernel updates. As a compensating control where patching is not immediately feasible, restricting access to the papr-hvpipe device node (typically under /dev/) via discretionary access controls or udev rules to only trusted processes will prevent unprivileged exploitation; however, this does not eliminate the flaw if a trusted process is compromised. Disabling or blacklisting the papr-hvpipe kernel module (if loaded as a module) on systems that do not require POWER hypervisor pipe functionality is an effective workaround with no side effects for non-hvpipe workloads.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy