Skip to main content

Linux Kernel EUVDEUVD-2026-28722

| CVE-2026-43416 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-xw48-xgg9-9h3g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 08, 2026 - 12:43 vuln.today
CVSS changed
May 26, 2026 - 14:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 16:18 EUVD
CVE Published
May 08, 2026 - 14:21 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

powerpc, perf: Check that current->mm is alive before getting user callchain

It may happen that mm is already released, which leads to kernel panic. This adds the NULL check for current->mm, similarly to commit 20afc60f892d ("x86, perf: Check that current->mm is alive before getting user callchain").

I was getting this panic when running a profiling BPF program (profile.py from bcc-tools):

[26215.051935] Kernel attempted to read user page (588) - exploit attempt? (uid: 0) [26215.051950] BUG: Kernel NULL pointer dereference on read at 0x00000588 [26215.051952] Faulting instruction address: 0xc00000000020fac0 [26215.051957] Oops: Kernel access of bad area, sig: 11 [#1] [...] [26215.052049] Call Trace: [26215.052050] [c000000061da6d30] [c00000000020fc10] perf_callchain_user_64+0x2d0/0x490 (unreliable) [26215.052054] [c000000061da6dc0] [c00000000020f92c] perf_callchain_user+0x1c/0x30 [26215.052057] [c000000061da6de0] [c0000000005ab2a0] get_perf_callchain+0x100/0x360 [26215.052063] [c000000061da6e70] [c000000000573bc8] bpf_get_stackid+0x88/0xf0 [26215.052067] [c000000061da6ea0] [c008000000042258] bpf_prog_16d4ab9ab662f669_do_perf_event+0xf8/0x274 [...]

In addition, move storing the top-level stack entry to generic perf_callchain_user to make sure the top-evel entry is always captured, even if current->mm is NULL.

[Maddy: fixed message to avoid checkpatch format style error]

AnalysisAI

NULL pointer dereference in the Linux kernel's PowerPC perf subsystem crashes the kernel when user callchain collection is attempted after a thread's mm structure has been released. Local authenticated users with BPF execution privileges on PowerPC systems can trigger a kernel panic by running profiling tools such as bcc-tools' profile.py at the moment of thread exit, resulting in a full system denial of service. No public exploit has been identified at time of analysis and EPSS is 0.02% (4th percentile), reflecting low widespread exploitation probability; however, the bug is confirmed by kernel maintainers with a full panic trace and patches are available in stable kernel releases.

Technical ContextAI

The vulnerable code resides in perf_callchain_user_64() within the PowerPC (ppc64) architecture-specific perf callchain implementation. CWE-476 (NULL Pointer Dereference) is the exact root cause: the function accesses current->mm to walk the user-space call stack without first verifying it is non-NULL. In Linux, the mm_struct (process memory map descriptor) is released during thread/process exit and can legitimately be NULL when a perf sampling event fires in that narrow window. The exploit path runs through the BPF subsystem: bpf_get_stackid() calls get_perf_callchain(), which calls perf_callchain_user(), which dispatches to the architecture-specific perf_callchain_user_64(). An analogous NULL check had already been applied to the x86 architecture in commit 20afc60f892d; this CVE applies the same guard to the PowerPC path. Affected CPE is cpe:2.3:a:linux:linux per NVD, and the introduction commit is identified as 20002ded4d937ca87aca6253b874920a96a763c4.

RemediationAI

The primary fix is to upgrade to Linux kernel 6.18.19, 6.19.9, or 7.0, which add the NULL check for current->mm in the PowerPC perf callchain path. The three upstream stable commits are available at https://git.kernel.org/stable/c/98074e16742ae87fb82e234b419783c5ffc9baea, https://git.kernel.org/stable/c/7e5f60b8cfc02a2b23a40a5f5fd2fa81d010e737, and https://git.kernel.org/stable/c/e9bbfb4bfa86c6b5515b868d6982ac60505d7e39. Red Hat and SUSE users should monitor vendor channels for backported errata. As a compensating control prior to patching, setting kernel.unprivileged_bpf_disabled=1 (sysctl) restricts BPF execution to CAP_SYS_ADMIN, preventing unprivileged users from triggering this path - trade-off is that it disables legitimate observability tools for non-root users. Alternatively, restricting execution of bcc-tools and similar profiling utilities to trusted administrators via sudo policy or seccomp profiles reduces exposure without system-wide BPF restriction. Neither workaround addresses the underlying race for privileged users.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28722 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy