Skip to main content

Linux Kernel EUVDEUVD-2026-27706

| CVE-2026-43144 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-06 Linux GHSA-xmh6-3rx4-qrfp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:57 vuln.today
CVSS changed
May 13, 2026 - 21:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

wifi: brcmfmac: Fix potential kernel oops when probe fails

When probe of the sdio brcmfmac device fails for some reasons (i.e. missing firmware), the sdiodev->bus is set to error instead of NULL, thus the cleanup later in brcmf_sdio_remove() tries to free resources via invalid bus pointer. This happens because sdiodev->bus is set 2 times: first in brcmf_sdio_probe() and second time in brcmf_sdiod_probe(). Fix this by chaning the brcmf_sdio_probe() function to return the error code and set sdio->bus only there.

AnalysisAI

Kernel oops (crash) in the Linux kernel brcmfmac SDIO Wi-Fi driver allows a local low-privileged user to cause a denial-of-service by triggering a probe failure on Broadcom SDIO Wi-Fi hardware. The root cause is a double-assignment of sdiodev->bus across brcmf_sdio_probe() and brcmf_sdiod_probe(), leaving an invalid (non-NULL, error-valued) pointer that brcmf_sdio_remove() later dereferences during cleanup. No public exploit has been identified, EPSS is at the 4th percentile, and this is not listed in CISA KEV; risk is primarily a kernel stability concern in specific hardware configurations.

Technical ContextAI

The vulnerability resides in the brcmfmac driver, which manages Broadcom 802.11 Wi-Fi chipsets communicating over the SDIO bus in the Linux kernel. CWE-476 (NULL Pointer Dereference) formally classifies this, though the precise defect is a stale/invalid-pointer dereference: when probe fails (e.g., missing firmware in /lib/firmware/brcm/), sdiodev->bus is overwritten with an error code value rather than being left or reset to NULL, because brcmf_sdio_probe() and brcmf_sdiod_probe() both write to it. The subsequent cleanup path in brcmf_sdio_remove() treats this non-NULL value as a valid pointer and attempts to free resources through it, triggering a kernel oops. The upstream fix restructures ownership so that sdiodev->bus is written exclusively by brcmf_sdio_probe() upon success, eliminating the double-write. The affected CPE is cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*, spanning kernel versions from the introducing commit 0ff0843310b74e565901d85f849fb308c3b1f220 through the fix commits in the 6.18, 6.19, and 7.0 stable branches.

RemediationAI

Upgrade to Linux kernel 6.18.16, 6.19.6, or 7.0, which contain the fix via upstream stable commits at https://git.kernel.org/stable/c/64ccb0aac41c5055780c2a58bbe2c1b362ceccde, https://git.kernel.org/stable/c/379aac7ee8240848aa35f605b06addb4617c863e, and https://git.kernel.org/stable/c/243307a0d1b0d01538e202c00454c28b21d4432e. Red Hat and SUSE users should await distribution-specific advisories with backported patches for their supported kernel versions. As a compensating control, systems that do not use Broadcom SDIO Wi-Fi hardware can blacklist the brcmfmac module (add 'blacklist brcmfmac' to /etc/modprobe.d/) with no functional trade-off on such hardware-absent systems. Ensuring firmware files are present and intact in /lib/firmware/brcm/ reduces the likelihood of probe failure triggering the bug, though this is not a complete mitigation since other probe failure causes exist.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy