Skip to main content

Linux Kernel EUVDEUVD-2026-39883

| CVE-2026-53278 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-26 Linux GHSA-hfvr-wfpf-26r6
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access required; low-privilege user can trigger teardown path; no C/I impact, only kernel crash (availability high).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 08, 2026 - 04:18 vuln.today
CVSS changed
Jul 08, 2026 - 04:07 NVD
5.5 (MEDIUM)
Patch available
Jun 26, 2026 - 21:02 EUVD
CVE Published
Jun 26, 2026 - 19:40 nvd
MEDIUM 5.5
CVE Published
Jun 26, 2026 - 19:40 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

arm_mpam: Check whether the config array is allocated before destroying it

__destroy_component_cfg() is called to free the configuration array. It uses the embedded 'garbage' structure, which means the array has to be allocated.

If __destroy_component_cfg() is called from mpam_disable() before the configuration was ever allocated, then a NULL pointer is dereferenced.

Check for this case and return early if the configuration is not allocated.

__destroy_component_cfg() also frees the mbwu_state as this is allocated by __allocate_component_cfg(). As the mbwu_state is allocated after comp->cfg is set, and is also under mpam_list_lock, only the first pointer needs checking.

AnalysisAI

NULL pointer dereference in the Linux kernel arm_mpam subsystem allows a local low-privileged attacker to crash the kernel by triggering a specific cleanup code path before initialization completes. The flaw exists in __destroy_component_cfg(), which unconditionally dereferences the embedded 'garbage' structure to free the configuration array even when mpam_disable() is called before __allocate_component_cfg() has ever run. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege access on ARM MPAM server
Delivery
Trigger mpam_disable() before config array initialization
Exploit
NULL pointer dereference in __destroy_component_cfg()
Execution
Kernel panic
Impact
System crash and denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires local access with low user privileges (PR:L per CVSS) on a host running an affected Linux kernel version on ARM hardware that implements the MPAM architectural extension - this subsystem is absent on x86, most embedded ARM, and non-MPAM ARM hardware. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects the limited scope: local access with low privileges is required, and the only impact is availability - a kernel panic resulting in system crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with low privileges on an ARM server with MPAM-capable hardware could trigger a kernel panic by inducing an error condition or race during kernel initialization or shutdown that causes mpam_disable() to execute before __allocate_component_cfg() has run, resulting in a NULL pointer dereference in __destroy_component_cfg() and a system crash. No public proof-of-concept exploit code exists, and reproducing the timing condition likely requires familiarity with the arm_mpam subsystem internals.
Remediation Apply the upstream stable patches available at https://git.kernel.org/stable/c/8eb6dc76eeae5302c0d885906a0e469ef9630a59 and https://git.kernel.org/stable/c/6ccbb613b42a1f1ba7bfd547a148f644a902a25c. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39883 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy