Skip to main content

Linux Kernel CVE-2026-46282

| EUVDEUVD-2026-35147 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-08 Linux GHSA-qrv5-4j39-f7c6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access with low privileges required to trigger driver initialization; impact is kernel crash only, with no confidentiality or integrity consequence.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:57 vuln.today
CVSS changed
Jul 08, 2026 - 15:22 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

iio: frequency: admv1013: fix NULL pointer dereference on str

When device_property_read_string() fails, str is left uninitialized but the code falls through to strcmp(str, ...), dereferencing a garbage pointer. Replace manual read/strcmp with device_property_match_property_string() and consolidate the SE mode enums into a single sequential enum, mapping to hardware register values via a switch consistent with other bitfields in the driver.

Several cleanup patches have been applied to this driver recently so this will need a manual backport.

AnalysisAI

NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.

Technical ContextAI

The vulnerable component is drivers/iio/frequency/admv1013.c within the Linux kernel's Industrial I/O (IIO) subsystem. The ADMV1013 is an Analog Devices microwave upconverter IC used in RF/microwave communication systems. CWE-476 (NULL Pointer Dereference) precisely describes the root cause: device_property_read_string() can fail without populating the str argument, leaving it as an uninitialized stack variable holding a garbage address. Execution then falls through to a strcmp(str, ...) call that unconditionally dereferences this garbage pointer, triggering a kernel oops or panic. The fix replaces the fragile read-then-compare pattern with the atomic device_property_match_property_string() helper, which handles failure internally, and consolidates the SE mode enum values into a sequential enum mapped to hardware register values via a switch statement consistent with other bitfields in the same driver. CPE confirms affected scope as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, introduced with commit da35a7b526d9b258a2cb8b7816f736a41b32176b in Linux 5.17.

RemediationAI

Upgrade to Linux kernel 6.12.86, 7.0.4, or 7.1-rc1 or later; the four upstream fix commits are available at git.kernel.org: 3a9d8ec2051c2d80158ed7bded5e158c42870037, 5e9f1bad26df3d3afb3cbbfa408b6d6e809708ac, 2dc8d26690bf4e7226409563221c37bc095c94ff, and aac0a51b16700b403a55b67ba495de021db78763. Ubuntu users should apply USN-8489-1 or USN-8488-1 per the advisories at https://ubuntu.com/security/notices/USN-8489-1 and https://ubuntu.com/security/notices/USN-8488-1. Backports to other stable branches require manual effort due to recent driver cleanup activity. As an immediate workaround where patching is not feasible, blacklist or unload the admv1013 kernel module by adding 'blacklist admv1013' to /etc/modprobe.d/blacklist.conf and running 'modprobe -r admv1013'; this eliminates the attack surface entirely but disables all ADMV1013 upconverter hardware functionality, which is an acceptable trade-off in environments where the hardware is not actively in use.

Share

CVE-2026-46282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy