Skip to main content

Linux Kernel CVE-2026-46216

| EUVDEUVD-2026-32843 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-542g-6jp4-66mq
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 19:28 vuln.today
CVSS changed
Jun 10, 2026 - 19:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status()

When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to &gt->uc.gsc being evaluated as an invalid memory address.

Fix that by introducing a NULL check on media_gt and bailing out early if so.

While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL.

v2:

  • Get address for gsc only after checking that gt is not NULL.

(Shuicheng)

  • Drop the NULL check for gsc. (Shuicheng)

v3:

  • Add "Fixes" and "Cc: <stable...>" tags. (Matt)

(cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)

AnalysisAI

Null pointer dereference in the Linux kernel's Intel Xe DRM HDCP GSC subsystem allows a local, low-privileged user to crash the kernel when media GT is disabled via configfs. The function intel_hdcp_gsc_check_status() evaluates &gt->uc.gsc without first verifying that media_gt is non-NULL, producing a kernel pagefault on systems where media GT has been explicitly disabled through the configfs interface. Exploitation yields a denial of service (kernel panic) with no confidentiality or integrity impact; no public exploit identified at time of analysis, and EPSS probability is 0.02% (5th percentile), indicating very low exploitation likelihood in the wild.

Technical ContextAI

The defect lives in intel_hdcp_gsc_check_status() within the Linux kernel's DRM subsystem targeting Intel Xe discrete GPUs, specifically the HDCP (High-bandwidth Digital Content Protection) GSC (Graphics Security Controller) component. CWE-476 (NULL Pointer Dereference) is the root cause: the kernel's configfs interface permits administrators to disable the media GT (Graphics Tile) at runtime, which leaves its pointer initialized to NULL rather than a valid structure address. The function then evaluates &gt->uc.gsc against that NULL pointer as though it were a valid intel_gt structure, triggering an invalid memory access and kernel pagefault. The upstream fix introduces an early-exit NULL guard on media_gt before any dereference occurs, and eliminates a now-redundant downstream NULL check on gsc because gsc validity is guaranteed transitively by a non-NULL media_gt. CPE data (cpe:2.3:o:linux:linux_kernel:*) confirms this is a Linux kernel-scope issue without restriction to a particular architecture or platform beyond the Intel Xe hardware requirement.

RemediationAI

The primary remediation is to upgrade to Linux kernel 7.0.9 (stable branch) or Linux 7.1-rc3 (mainline), which incorporate the NULL guard fix. Patch commits are available at https://git.kernel.org/stable/c/60a1e131a811b68703da58fd805ab359b704ab03, https://git.kernel.org/stable/c/d8ab4b47edf4578dbfbe5e95817107a514fa34cc, https://git.kernel.org/stable/c/814326e86e929b865020ff44f4576dbdfe3f7ff3, and https://git.kernel.org/stable/c/cad210d2851f3a7d9573bdfc02aa61d9287bbe8c; the cherry-picked upstream source is commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1. For unpatched systems, a targeted compensating control is to avoid disabling media GT via the configfs interface on any host where HDCP GSC status checks may be invoked - keeping media_gt allocated and non-NULL eliminates the triggering condition; trade-off is loss of that hardware configuration flexibility. On shared or multi-tenant systems, restricting unprivileged user access to the configfs HDCP GSC interface reduces the attack surface. Distribution-specific backport availability should be verified against each vendor's kernel advisory.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Affected

Share

CVE-2026-46216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy