Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access with low privileges required to trigger driver initialization; impact is kernel crash only, with no confidentiality or integrity consequence.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
iio: frequency: admv1013: fix NULL pointer dereference on str
When device_property_read_string() fails, str is left uninitialized but the code falls through to strcmp(str, ...), dereferencing a garbage pointer. Replace manual read/strcmp with device_property_match_property_string() and consolidate the SE mode enums into a single sequential enum, mapping to hardware register values via a switch consistent with other bitfields in the driver.
Several cleanup patches have been applied to this driver recently so this will need a manual backport.
AnalysisAI
NULL pointer dereference in the Linux kernel's admv1013 IIO frequency driver crashes the kernel when device_property_read_string() fails during device initialization, leaving a garbage pointer subsequently passed to strcmp(). A local low-privileged user on a system with ADMV1013 microwave upconverter hardware can reliably trigger a kernel panic, resulting in a complete denial of service. No public exploit exists and EPSS sits at 0.02% (5th percentile), but vendor-released patches are available across multiple stable kernel branches including 6.12.86 and 7.0.4.
Technical ContextAI
The vulnerable component is drivers/iio/frequency/admv1013.c within the Linux kernel's Industrial I/O (IIO) subsystem. The ADMV1013 is an Analog Devices microwave upconverter IC used in RF/microwave communication systems. CWE-476 (NULL Pointer Dereference) precisely describes the root cause: device_property_read_string() can fail without populating the str argument, leaving it as an uninitialized stack variable holding a garbage address. Execution then falls through to a strcmp(str, ...) call that unconditionally dereferences this garbage pointer, triggering a kernel oops or panic. The fix replaces the fragile read-then-compare pattern with the atomic device_property_match_property_string() helper, which handles failure internally, and consolidates the SE mode enum values into a sequential enum mapped to hardware register values via a switch statement consistent with other bitfields in the same driver. CPE confirms affected scope as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, introduced with commit da35a7b526d9b258a2cb8b7816f736a41b32176b in Linux 5.17.
RemediationAI
Upgrade to Linux kernel 6.12.86, 7.0.4, or 7.1-rc1 or later; the four upstream fix commits are available at git.kernel.org: 3a9d8ec2051c2d80158ed7bded5e158c42870037, 5e9f1bad26df3d3afb3cbbfa408b6d6e809708ac, 2dc8d26690bf4e7226409563221c37bc095c94ff, and aac0a51b16700b403a55b67ba495de021db78763. Ubuntu users should apply USN-8489-1 or USN-8488-1 per the advisories at https://ubuntu.com/security/notices/USN-8489-1 and https://ubuntu.com/security/notices/USN-8488-1. Backports to other stable branches require manual effort due to recent driver cleanup activity. As an immediate workaround where patching is not feasible, blacklist or unload the admv1013 kernel module by adding 'blacklist admv1013' to /etc/modprobe.d/blacklist.conf and running 'modprobe -r admv1013'; this eliminates the attack surface entirely but disables all ADMV1013 upconverter hardware functionality, which is an acceptable trade-off in environments where the hardware is not actively in use.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35147
GHSA-qrv5-4j39-f7c6