Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local low-privilege trigger causing kernel panic via error pointer dereference; no confidentiality or integrity impact, only system availability loss.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
media: intel/ipu6: fix error pointer dereference
In a error path isp->psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before going to out_ipu6_bus_del_devices.
Detected by Smatch: drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error: 'isp->psys' dereferencing possible ERR_PTR()
[Sakari Ailus: Fix commit message.]
AnalysisAI
Error pointer dereference in the Linux kernel's Intel IPU6 media driver crashes the kernel during a failed probe, resulting in local denial of service. The flaw resides in ipu6_pci_probe() at drivers/media/pci/intel/ipu6/ipu6.c:690, where isp->psys holds an ERR_PTR value rather than NULL in a specific error path, causing it to be dereferenced during cleanup rather than handled safely. No public exploit exists and EPSS sits at 0.02% (5th percentile), reflecting negligible real-world exploitation interest.
Technical ContextAI
The vulnerable code is in the Intel IPU6 (Image Processing Unit generation 6) PCI driver within the Linux kernel media subsystem. In Linux kernel error-handling conventions, functions return ERR_PTR(-errno) - a pointer encoding a negative error code - rather than NULL to signal failure. The ipu6_pci_probe() function checks isp->psys during its error-path cleanup but does not account for the case where isp->psys is an error pointer instead of NULL, causing the conditional to evaluate as true and the error pointer to be dereferenced. CWE-476 (NULL Pointer Dereference) is cited, though the precise mechanism is an error pointer dereference - a closely related kernel-specific variant. The fix, identified via Smatch static analysis, is to explicitly assign isp->psys = NULL before jumping to the out_ipu6_bus_del_devices cleanup label, ensuring proper branch behavior. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:*.
RemediationAI
Apply the vendor-released kernel patches corresponding to your stable branch: upgrade to Linux 6.12.90, 6.18.32, 7.0.9, or 7.1-rc1 (or later) as appropriate. The upstream fix commits are published on the kernel.org stable tree at https://git.kernel.org/stable/c/fad134c446189e9bb48cea1a5ca426d2889a9c71, https://git.kernel.org/stable/c/f43e30646fc93799f3f48530d0ccbd52902c0541, https://git.kernel.org/stable/c/c352f90e093ae49902e47f41579e1aa41899ff64, and https://git.kernel.org/stable/c/8dd088b8b106f7b119664f965b691785998edcfb. If immediate patching is not feasible, unloading or blacklisting the ipu6 kernel module (echo 'blacklist ipu6' >> /etc/modprobe.d/ipu6-blacklist.conf) prevents the vulnerable probe path from executing entirely, at the cost of disabling Intel IPU6 camera and imaging functionality on affected hardware. Distribution-specific kernel packages (Debian, Ubuntu, RHEL, SUSE) should be monitored for inclusion of these stable-tree backports.
An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel Active Mana
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Stack-based buffer overflow in the unique_service_name function in ssdp/ssdp_server.c in the SSDP parser in the portable
Local privilege escalation to SYSTEM in Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys versions before 1.3.1.0
Arbitrary code execution in Apple Safari, iOS/iPadOS, macOS Sequoia, and visionOS occurs when processing maliciously cra
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35123
GHSA-77rf-83g8-2rfh