Skip to main content

Linux Kernel CVE-2026-46313

| EUVDEUVD-2026-35123 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-08 Linux GHSA-77rf-83g8-2rfh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege trigger causing kernel panic via error pointer dereference; no confidentiality or integrity impact, only system availability loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 15:49 vuln.today
CVSS changed
Jul 08, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
Jun 08, 2026 - 18:01 EUVD
CVE Published
Jun 08, 2026 - 15:50 nvd
MEDIUM 5.5
CVE Published
Jun 08, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: intel/ipu6: fix error pointer dereference

In a error path isp->psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before going to out_ipu6_bus_del_devices.

Detected by Smatch: drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error: 'isp->psys' dereferencing possible ERR_PTR()

[Sakari Ailus: Fix commit message.]

AnalysisAI

Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in ipu6_pci_probe() at drivers/media/pci/intel/ipu6/ipu6.c:690, where isp->psys holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.

Technical ContextAI

The vulnerable code is in the Intel IPU6 (Image Processing Unit generation 6) PCI driver within the Linux kernel media subsystem. In Linux kernel error-handling conventions, functions return ERR_PTR(-errno) - a pointer encoding a negative error code - rather than NULL to signal failure. The ipu6_pci_probe() function checks isp->psys during its error-path cleanup but does not account for the case where isp->psys is an error pointer instead of NULL, causing the conditional to evaluate as true and the error pointer to be dereferenced. CWE-476 (NULL Pointer Dereference) is cited, though the precise mechanism is an error pointer dereference - a closely related kernel-specific variant. The fix, identified via Smatch static analysis, is to explicitly assign isp->psys = NULL before jumping to the out_ipu6_bus_del_devices cleanup label, ensuring proper branch behavior. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.

RemediationAI

Apply the vendor-released kernel patches corresponding to your stable branch: upgrade to Linux 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 (or later) as appropriate. The upstream fix commits are published on the kernel.org stable tree at https://git.kernel.org/stable/c/fad134c446189e9bb48cea1a5ca426d2889a9c71, https://git.kernel.org/stable/c/f43e30646fc93799f3f48530d0ccbd52902c0541, https://git.kernel.org/stable/c/c352f90e093ae49902e47f41579e1aa41899ff64, and https://git.kernel.org/stable/c/8dd088b8b106f7b119664f965b691785998edcfb. If immediate patching is not feasible, unloading or blacklisting the ipu6 kernel module (echo 'blacklist ipu6' >> /etc/modprobe.d/ipu6-blacklist.conf) prevents the vulnerable probe path from executing entirely, at the cost of disabling Intel IPU6 camera and imaging functionality on affected hardware. Distribution-specific kernel packages (Debian, Ubuntu, RHEL, SUSE) should be monitored for inclusion of these stable-tree backports.

More in Intel

View all
CVE-2017-5689 CRITICAL POC
9.8 May 02

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana

CVE-2012-5958 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2012-5959 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5964 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5963 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5961 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5965 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5962 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2012-5960 CRITICAL POC
10.0 Jan 31

Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable

CVE-2015-2291 HIGH POC
7.8 Aug 09

Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0

CVE-2024-44308 HIGH
8.8 Nov 20

Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra

Share

CVE-2026-46313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy