Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local-only trigger via low-privilege access to mailbox driver path; kernel OOPS impacts only availability with zero confidentiality or integrity exposure.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mailbox: add sanity check for channel array
Fail gracefully if there is no channel array attached to the mailbox controller. Otherwise the later dereference will cause an OOPS which might not be seen because mailbox controllers might instantiate very early. Remove the comment explaining the obvious while here.
AnalysisAI
Kernel denial-of-service in the Linux mailbox subsystem triggers an OOPS when a mailbox controller is instantiated without an associated channel array and the code dereferences the missing pointer without a NULL guard. Local low-privileged users on affected systems - particularly embedded or SoC-based Linux deployments that rely on mailbox-based inter-processor communication - can cause a system crash. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access (AV:L) with low-level privileges (PR:L, consistent with CVSS PR:L) on a Linux system that has a mailbox controller driver loaded and configured without an associated channel array - a condition specific to embedded SoC hardware using the kernel mailbox IPC framework. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.5 Medium (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately characterizes this as a local, availability-only flaw with no confidentiality or integrity exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privilege local account on an embedded Linux system (for example, an ARM SoC with an inter-processor mailbox to a modem or DSP firmware) triggers the mailbox driver initialization path under a configuration where the controller was registered without a channel array. The missing NULL check causes an immediate kernel OOPS, crashing the system and achieving denial of service. … |
| Remediation | Upgrade the Linux kernel to the appropriate patched stable release: 5.10.258, 5.15.209, 6.1.175, 6.6.141, 6.12.91, 6.18.33, 7.0.10, or 7.1, according to the branch in use. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39900
GHSA-rf57-3w24-v5g9