Skip to main content

Linux Kernel CVE-2026-46284

| EUVDEUVD-2026-35149 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-08 Linux GHSA-wf92-393r-9p92
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.4 MEDIUM

Modifying kernel boot parameters realistically requires root or physical bootloader access (PR:H); no confidentiality or integrity impact applies.

3.1 AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 22:30 vuln.today
CVSS changed
Jul 08, 2026 - 21:37 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:41 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:41 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

mm/hugetlb: fix early boot crash on parameters without '=' separator

If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot.

Reject NULL values in hugetlb_add_param() and return -EINVAL instead.

AnalysisAI

NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, hugetlb_add_param() in mm/hugetlb dereferences a NULL pointer via strlen() when hugepages, hugepagesz, or default_hugepagesz kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.

Technical ContextAI

The vulnerability is rooted in CWE-476 (NULL Pointer Dereference) within the Linux kernel memory management subsystem, specifically the HugeTLB facility (mm/hugetlb). HugeTLB manages large memory pages and is configurable via kernel command line parameters (hugepages=, hugepagesz=, default_hugepagesz=). During early boot, the kernel's parameter parsing infrastructure invokes registered handlers for each recognized parameter. If any of these three parameters appear on the command line without a '=' separator, the parser passes NULL as the value argument to hugetlb_add_param(). The function lacks a NULL guard and immediately passes this pointer to strlen(), which dereferences it unconditionally, triggering a NULL pointer dereference. The fix - adding an explicit NULL check returning -EINVAL - is minimal and targeted. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* spanning kernel commits from 5b47c02967ab770aa7661c8863a21b2fd59e35ff through multiple stable branches.

RemediationAI

Update to Linux kernel 6.18.27 or 7.0.4 (stable series) or 7.1-rc1 (mainline), which contain the NULL guard fix in hugetlb_add_param(). The upstream patches are available at https://git.kernel.org/stable/c/2774bcf714739cc6bb86f8812167bb9fbda70f6a, https://git.kernel.org/stable/c/357c6d084b6137ae640209c5bfd01180f985c015, and https://git.kernel.org/stable/c/c45b354911d01565156e38d7f6bc07edb51fc34c. Ubuntu users should apply packages from USN-8489-1 or USN-8488-1 (https://ubuntu.com/security/notices/USN-8489-1). As a configuration-level workaround prior to patching, audit all GRUB, PXE, and cloud instance bootloader configurations to ensure that any hugepages-related parameters are always specified with the '=' separator (e.g., hugepages=0 rather than bare hugepages); this eliminates the NULL-value code path without requiring a kernel update. This workaround is low-risk but requires systematic review of all boot configuration entry points and does not protect against future inadvertent omission of the separator.

Share

CVE-2026-46284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy