Skip to main content

Linux Kernel CVE-2026-46296

| EUVDEUVD-2026-35162 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-08 Linux GHSA-vvjj-6m9v-rg8g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local attack on embedded hardware requiring low-privilege sysfs access; no confidentiality or integrity impact, only kernel crash.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 19:17 vuln.today
CVSS changed
Jul 08, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:46 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:46 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

spi: s3c64xx: fix NULL-deref on driver unbind

A change moving DMA channel allocation from probe() back to s3c64xx_spi_prepare_transfer() failed to remove the corresponding deallocation from remove().

Drop the bogus DMA channel release from remove() to avoid triggering a NULL-pointer dereference on driver unbind.

This issue was flagged by Sashiko when reviewing a controller deregistration fix.

AnalysisAI

NULL pointer dereference in the Linux kernel's s3c64xx SPI driver triggers a kernel crash on driver unbind, allowing a local low-privileged attacker to cause a denial of service. The flaw affects systems equipped with Samsung S3C64xx-series SoC hardware running unpatched kernel versions from 6.0 onward. No public exploit code exists and EPSS probability sits at 0.02%, but the crash is deterministic once the driver unbind sequence is triggered on vulnerable hardware. No active exploitation (CISA KEV) has been identified.

Technical ContextAI

The vulnerability resides in the s3c64xx SPI controller driver (drivers/spi/spi-s3c64xx.c), which targets Samsung's S3C64xx and early Exynos SoC family. A prior refactoring commit (f52b03c707444c5a3d1a0b9c5724f93ddc3c588e) moved DMA channel allocation from the driver's probe() function into s3c64xx_spi_prepare_transfer(), deferring it until a transfer is actually initiated. However, the corresponding DMA channel release call was not removed from remove(). When the driver is unbound without ever initiating a transfer, the DMA channel pointer is still NULL, and the remove() path dereferences it, triggering CWE-476 (NULL Pointer Dereference). CPE data confirms the affected component as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* across all kernel versions containing the offending commit, with fixes landing in stable branches 6.6.140, 6.12.88, 6.18.30, 7.0.7, and 7.1-rc1.

RemediationAI

The primary fix is to update to a patched Linux kernel version: 6.6.140 or later for the 6.6 stable series, 6.12.88 or later for the 6.12 series, 6.18.30 or later for the 6.18 series, or 7.0.7 or later for the 7.0 series. The fix removes the erroneous DMA channel deallocation from remove(), and is available in the upstream stable trees at the git.kernel.org references provided. Distribution kernels (Debian, Ubuntu, RHEL, etc.) will incorporate these fixes through their standard stable update channels. For systems where immediate kernel upgrade is not feasible, a practical workaround is to prevent driver unbind of the s3c64xx SPI controller by restricting access to sysfs bind/unbind interfaces (e.g., via udev rules or filesystem permissions on /sys/bus/platform/drivers/s3c64xx-spi/). Disabling module unloading (sysctl kernel.modules_disabled=1) also eliminates the unbind path but has broad side effects on system manageability. Neither workaround is recommended over patching.

Share

CVE-2026-46296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy