Skip to main content

Linux Kernel CVE-2026-46235

| EUVDEUVD-2026-32753 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-g99c-g7mv-2xpg
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.7 MEDIUM

AC:H reflects dual prerequisites - specific SAA7164 hardware presence and ioremap() failure under memory pressure - beyond standard low-complexity local exploitation.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
4.7 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.5 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:41 vuln.today
CVSS changed
Jun 10, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: saa7164: add ioremap return checks and cleanups

Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV.

This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.

AnalysisAI

Null pointer dereference in the Linux kernel's saa7164 media driver can crash the kernel when ioremap() fails during PCI device initialization. Systems with SAA7164-based PCIe capture cards (e.g., Phillips/NXP SAA7164) running unpatched kernel versions from 2.6.32 through stable branches prior to 6.6.140, 6.12.90, 6.18.32, and 7.0.9 are affected. A local, low-privileged attacker who can trigger driver initialization under memory pressure conditions may cause a kernel oops or panic, resulting in denial of service. No public exploit exists and EPSS is 0.02% (5th percentile), indicating negligible real-world exploitation probability at this time.

Technical ContextAI

The saa7164 driver in the Linux kernel manages PCIe-based media capture hardware using Phillips/NXP SAA7164 chips, commonly found in PCI capture cards. During device setup in saa7164_dev_setup(), the driver calls ioremap() to map PCI Base Address Registers (BAR0 and BAR2) into kernel virtual address space. ioremap() can legitimately return NULL when the kernel cannot allocate virtual address space, typically under memory pressure. The original code did not check these return values before dereferencing the mapped pointers, constituting a CWE-476 (NULL Pointer Dereference) condition. On dereference, this produces a kernel oops or panic. The fix adds explicit NULL checks after each ioremap call and implements proper cleanup: releasing PCI memory regions, removing the device from the global list, decrementing the device count, and returning -ENODEV. Affected CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade to a patched stable kernel release: 6.6.140 or later for the 6.6 LTS branch, 6.12.90 or later for the 6.12 LTS branch, 6.18.32 or later for the 6.18 branch, or 7.0.9 or later for the 7.0 branch; 7.1-rc1 and later mainline builds include the fix. Patch commits can be reviewed at https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684 and related stable commits linked in the NVD references. If an immediate kernel upgrade is not possible and the system does not use SAA7164 hardware, blacklist the saa7164 kernel module by adding 'blacklist saa7164' to /etc/modprobe.d/blacklist.conf and running dracut or update-initramfs to rebuild the initrd - note this prevents use of any SAA7164-based capture cards. On systems without such hardware, the driver will not load automatically and the attack surface is naturally absent. There are no known configuration-based workarounds that preserve driver functionality while eliminating the vulnerability.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy