MEDIUM 5.5

CVE-2026-46118

A flaw in the Linux kernel's PAPR hypervisor pipe driver can cause the kernel to crash when attempting to create a device handle. The issue stems from a recent code refactoring that changed how the driver manages memory allocation and cleanup. When the driver tries to reuse a data structure after it has been cleared, the kernel attempts to access invalid memory, leading to a null pointer dereference and system panic. An unprivileged local user with ioctl access can trigger this crash, resulting in a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
4 configuration(s)
Published / Modified
2026-05-28 / 2026-06-24

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list. Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list. Kernel attempted to write user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x00000000 Faulting instruction address: 0xc0000000001b44a0 Oops: Kernel access of bad area, sig: 11 [#1] ... Call Trace: papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable) sys_ioctl+0x528/0x1064 system_call_exception+0x128/0x360 system_call_vectored_common+0x15c/0x2ec Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist. This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46118 is a null pointer dereference vulnerability in the pseries/papr-hvpipe Linux kernel driver, specifically in the papr_hvpipe_dev_create_handle() function. A prior commit (6d3789d347a7) converted the handle creation to use the FD_PREPARE() macro for file descriptor allocation. However, the refactoring introduced a use-after-clear bug: the src_info structure is nullified by retain_and_null_ptr(src_info), but the function then attempts to add this same structure to a global linked list, dereferencing a null pointer in the process. The kernel panic occurs when the function tries to perform list operations on the invalidated src_info pointer. The fix involves pre-allocating and list-insertion of src_info under spinlock protection before FD_ADD operations, with proper error unwinding to remove the structure from the list if subsequent operations fail.

Business impact

This vulnerability enables a denial-of-service attack affecting systems running the Linux kernel with the PAPR hypervisor pipe driver (primarily IBM POWER-based platforms). An unprivileged local user can crash the kernel by invoking the vulnerable ioctl, causing unplanned downtime and service interruption. For environments where multiple tenants or containers share a POWER-based Linux host, a single malicious or misconfigured user can destabilize the entire system. Recovery requires manual system reboot, impacting availability and potentially triggering SLA violations.

Affected systems

The vulnerability affects the Linux kernel across versions that include the papr-hvpipe driver, specifically those containing the problematic FD_PREPARE() refactoring. PAPR (PowerPC Architecture Platform Requirements) hypervisor pipe support is present primarily in Linux distributions and kernels running on IBM POWER9 and POWER10 processor-based systems. Standard x86-64, ARM, and other non-POWER architectures are not affected. Verify your kernel configuration for CONFIG_PPC_PAPR_HVPIPE to determine exposure.

Exploitability

The vulnerability requires local access and the ability to invoke ioctl system calls on papr-hvpipe devices. Attack complexity is low—the crash is reliably triggered by normal ioctl calls attempting to create a device handle. No special capabilities beyond standard user privileges are needed, though in many deployments access to the hvpipe device may be restricted by file permissions or cgroups. The vulnerability is not remotely exploitable and does not allow privilege escalation or data compromise; impact is limited to availability.

Remediation

Apply the upstream Linux kernel patch that restructures the handle creation logic. The fix reallocates src_info at the start of the function, adds it to the global list under spinlock protection before FD_ADD operations, and implements corrected error handling to remove src_info from the list if FD_ADD fails. For enterprises, obtain and deploy a stable kernel update from your distributor (Red Hat, Ubuntu, SUSE, etc.) that includes the fix. Interim mitigation is possible by restricting device access via file permissions or SELinux policies, though this may impact legitimate applications using hvpipe.

Patch guidance

Verify the patch against your Linux distribution's advisory. The upstream fix modifies the allocation and error-handling flow in papr_hvpipe_dev_create_handle(); it is not a simple line revert but a restructuring of initialization and cleanup logic. Update to a kernel version confirmed to contain the corrected implementation. Test in a staging environment with PAPR-dependent workloads (if applicable) to confirm functionality before production deployment. Check your vendor's kernel security update channels for CVE-2026-46118 references.

Detection guidance

Monitor kernel logs for papr_hvpipe-related oops messages, particularly those showing null pointer dereference at address 0x00000000 with Faulting Instruction Address near papr_hvpipe code regions. Intrusion Detection Systems can flag ioctl(2) calls targeting /dev/hvpipe* by unprivileged processes if device policies do not normally permit them. Audit-daemon rules can log failed or suspicious device interactions. However, on vulnerable unpatched systems, legitimate crash events are indistinguishable from exploit attempts without correlation with application or workload context. Prioritize patching over detection-based responses.

Why prioritize this

Patch this within your regular update cycle if you operate POWER-based systems running Linux with PAPR hvpipe support. While the CVSS score is moderate (5.5), the reliability of the crash, low barrier to exploitation, and potential for multi-tenant environments mean this should not be deferred indefinitely. However, it is not an emergency for x86-64-dominated infrastructure. Tier your response by platform: urgent for POWER deployment, standard-priority for mixed environments where POWER systems are present.

Risk score, explained

CVSS 3.1 score of 5.5 (Medium) reflects: attack vector local only (reduces score), low attack complexity (increases score), low privileges required (increases score), high availability impact—denial of service via kernel crash (primary driver), and no confidentiality or integrity impact. The score appropriately captures that this is a localized DoS without data exposure or privilege escalation. However, context matters: in large multi-tenant POWER clusters, the blast radius and remediation burden elevate practical risk beyond the numeric score.

Frequently asked questions

Does this affect my Linux servers?

Only if you run Linux on IBM POWER processors (POWER9, POWER10) and the kernel is compiled with CONFIG_PPC_PAPR_HVPIPE enabled. If you run exclusively x86-64, ARM, or other architectures, you are not affected. Check your kernel config or contact your vendor.

Can this be exploited remotely?

No. The vulnerability requires local system access and the ability to invoke ioctl system calls on papr-hvpipe device files. It cannot be triggered over the network.

What happens if I apply an interim workaround instead of patching?

You can restrict access to /dev/hvpipe* device files using traditional Unix permissions, SELinux, or AppArmor policies. This reduces attack surface but may break applications that legitimately require hvpipe access. Patching is the proper remedy.

Is there an in-kernel workaround or sysctl to mitigate this?

No. The bug is in the driver logic itself and cannot be worked around without patching the kernel. You must upgrade to a fixed version or restrict device access administratively.

This analysis is provided for informational purposes and is based on publicly available vulnerability data current as of the publication date. CVSS scores, patch versions, and vendor advisory details should be verified against official Linux kernel git repositories, your Linux distribution's security advisories, and upstream maintainers before deployment decisions. Exploitation scenarios and mitigation effectiveness may vary by specific kernel version, configuration, and environment. SEC.co and the author assume no liability for direct or indirect damages resulting from patch application, denial of service, or security decisions made based on this analysis. Test all patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities