Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Modifying kernel boot parameters realistically requires root or physical bootloader access (PR:H); no confidentiality or integrity impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix early boot crash on parameters without '=' separator
If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot.
Reject NULL values in hugetlb_add_param() and return -EINVAL instead.
AnalysisAI
NULL pointer dereference in the Linux kernel's HugeTLB early boot parameter parser causes a system crash before the OS fully initializes. Specifically, hugetlb_add_param() in mm/hugetlb dereferences a NULL pointer via strlen() when hugepages, hugepagesz, or default_hugepagesz kernel command line parameters are supplied without a '=' separator, producing a boot-time kernel panic. The impact is a complete denial of service - the system fails to boot until the malformed parameter is corrected. No public exploit or CISA KEV listing exists; EPSS stands at 0.02% (5th percentile), reflecting very low observed exploitation activity. Patches are available in Linux 6.18.27, 7.0.4, and 7.1-rc1, with Ubuntu distributing fixes via USN-8489-1 and USN-8488-1.
Technical ContextAI
The vulnerability is rooted in CWE-476 (NULL Pointer Dereference) within the Linux kernel memory management subsystem, specifically the HugeTLB facility (mm/hugetlb). HugeTLB manages large memory pages and is configurable via kernel command line parameters (hugepages=, hugepagesz=, default_hugepagesz=). During early boot, the kernel's parameter parsing infrastructure invokes registered handlers for each recognized parameter. If any of these three parameters appear on the command line without a '=' separator, the parser passes NULL as the value argument to hugetlb_add_param(). The function lacks a NULL guard and immediately passes this pointer to strlen(), which dereferences it unconditionally, triggering a NULL pointer dereference. The fix - adding an explicit NULL check returning -EINVAL - is minimal and targeted. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* spanning kernel commits from 5b47c02967ab770aa7661c8863a21b2fd59e35ff through multiple stable branches.
RemediationAI
Update to Linux kernel 6.18.27 or 7.0.4 (stable series) or 7.1-rc1 (mainline), which contain the NULL guard fix in hugetlb_add_param(). The upstream patches are available at https://git.kernel.org/stable/c/2774bcf714739cc6bb86f8812167bb9fbda70f6a, https://git.kernel.org/stable/c/357c6d084b6137ae640209c5bfd01180f985c015, and https://git.kernel.org/stable/c/c45b354911d01565156e38d7f6bc07edb51fc34c. Ubuntu users should apply packages from USN-8489-1 or USN-8488-1 (https://ubuntu.com/security/notices/USN-8489-1). As a configuration-level workaround prior to patching, audit all GRUB, PXE, and cloud instance bootloader configurations to ensure that any hugepages-related parameters are always specified with the '=' separator (e.g., hugepages=0 rather than bare hugepages); this eliminates the NULL-value code path without requiring a kernel update. This workaround is low-risk but requires systematic review of all boot configuration entry points and does not protect against future inadvertent omission of the separator.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35149
GHSA-wf92-393r-9p92