CVE-2026-46216: Linux Intel Arc GPU NULL Pointer Dereference (HDCP)
A flaw in the Linux kernel's GPU driver for Intel Arc graphics allows a local attacker with basic user privileges to crash the system. The vulnerability occurs when certain GPU components (specifically the media GT) are disabled through system configuration. Under these conditions, the driver attempts to access memory that hasn't been allocated, causing a kernel panic. An attacker with local access can trigger this crash, resulting in a denial of service. This is a localized memory safety issue that requires local access to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: drm/xe/hdcp: Add NULL check for media_gt in intel_hdcp_gsc_check_status() When media GT is disabled via configfs, there is no allocation for media_gt, which is kept as NULL. In such scenario, intel_hdcp_gsc_check_status() results in a kernel pagefault error due to >->uc.gsc being evaluated as an invalid memory address. Fix that by introducing a NULL check on media_gt and bailing out early if so. While at it, also drop the NULL check for gsc, since it can't be NULL if media_gt is not NULL. v2: - Get address for gsc only after checking that gt is not NULL. (Shuicheng) - Drop the NULL check for gsc. (Shuicheng) v3: - Add "Fixes" and "Cc: <stable...>" tags. (Matt) (cherry picked from commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1)
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46216 is a NULL pointer dereference vulnerability in the DRM/Xe HDCP (High-bandwidth Digital Content Protection) subsystem of the Linux kernel. The intel_hdcp_gsc_check_status() function fails to validate whether the media_gt (Graphics Translation Table) pointer is NULL before dereferencing it to access gt->uc.gsc. When media GT is disabled via configfs, media_gt remains unallocated as NULL. Subsequent attempts to access >->uc.gsc result in dereferencing an invalid memory address, triggering a kernel page fault. The fix introduces an early NULL check on media_gt and bails out if the pointer is NULL, eliminating the dereference of uninitialized memory. The vulnerability is classified as CWE-476 (NULL Pointer Dereference).
Business impact
Organizations running Linux systems with Intel Arc graphics hardware face potential service disruption. A malicious or buggy local process can trigger a kernel panic, causing immediate system downtime. In enterprise environments utilizing Arc GPUs for compute workloads or AI acceleration, this denial-of-service condition could interrupt batch jobs, inference pipelines, or other critical GPU-dependent services. The impact is limited to availability; there is no data corruption or privilege escalation risk. Recovery requires system reboot.
Affected systems
The vulnerability affects Linux kernel installations with Intel Arc GPU support (DRM/Xe driver) where media GT can be disabled. This primarily impacts systems running recent kernels with Arc GPU drivers enabled and where administrators have configured media GT to be disabled via configfs. Older kernels lacking the vulnerable code path or systems without Intel Arc hardware are not affected. Verify your kernel version and GPU driver configuration against the kernel security advisories.
Exploitability
Exploitation requires local system access and standard user privileges—no root or special capabilities are needed. The attack is straightforward: a local user simply needs to trigger the intel_hdcp_gsc_check_status() function under conditions where media GT is disabled. An attacker might force this through GPU operations or HDCP-related calls. The vulnerability is not remotely exploitable; it does not appear on the CISA Known Exploited Vulnerabilities catalog as of the published date. Exploitation results in denial of service only, not code execution.
Remediation
Apply the kernel security patch that introduces the NULL check for media_gt in intel_hdcp_gsc_check_status(). This patch has been merged into the mainline Linux kernel and should be available in subsequent stable releases. Verify the specific patched kernel version from your Linux distribution's security advisory. Until patched, mitigation options are limited; consider disabling HDCP support in GPU driver configuration if operationally feasible, or restricting local user access to GPU-related operations. Systems where media GT is already enabled (the default) are at lower immediate risk.
Patch guidance
Obtain and install the updated Linux kernel package from your distribution (Red Hat, Ubuntu, SUSE, etc.). The patch is identified as cherry-pick commit bfaf87e84ca3ca3f6e275f9ae56da47a8b55ffd1 in the kernel commit history. Verify that the patched kernel version is explicitly listed in your vendor's security bulletin. After installation, reboot to activate the patched kernel. Test GPU workloads post-reboot to confirm normal operation, especially if Arc GPUs are used for production compute tasks.
Detection guidance
Monitor kernel logs for page fault errors referencing intel_hdcp_gsc_check_status() or the DRM/Xe driver. On affected systems, a crash would appear as a kernel panic with a page fault at an invalid memory address in the HDCP GSC code path. Proactive detection is difficult without exploitation; however, intrusion detection systems can flag unusual GPU driver errors or repeated kernel panics as potential exploitation attempts. In containerized or isolated environments, monitor for unexpected service restarts tied to GPU-related components.
Why prioritize this
Prioritize this patch for systems actively using Intel Arc GPUs in production environments. The availability impact is significant—a kernel panic halts all system operations—yet the requirement for local access and specific configuration (disabled media GT) limits the attack surface for many deployments. Organizations should patch on a standard security update cadence, but this is not an emergency-level vulnerability requiring out-of-band deployment. Systems where media GT is enabled by default have lower immediate risk.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector requiring standard user privileges, with no mitigation for complexity or required user interaction, resulting in high availability impact but no confidentiality or integrity compromise. The score appropriately captures the denial-of-service nature while acknowledging the local-only attack requirement. Organizations with restricted local access policies may consider their practical risk lower than the base CVSS score suggests.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46216 requires local system access and standard user privileges. Remote attackers cannot trigger this vulnerability over the network. It is exclusively a local denial-of-service issue.
What is the difference between media GT enabled and disabled?
Media GT is a Graphics Translation Table component in Intel Arc GPUs. When enabled (default), it is allocated and initialized, preventing the NULL pointer dereference. When disabled via configfs for specialized configurations, the pointer remains NULL, triggering the vulnerability. Most standard deployments have media GT enabled and are at lower risk.
Does this affect non-Intel Arc GPU systems?
No. This vulnerability is specific to the DRM/Xe driver used with Intel Arc graphics. Systems with NVIDIA, AMD, or older Intel integrated graphics are not affected. Check your GPU vendor and driver configuration to confirm exposure.
What happens if the system is exploited?
Successful exploitation causes a kernel panic and immediate system crash. The affected system will be unavailable until manually rebooted. There is no data corruption, privilege escalation, or lateral movement risk. Recovery is a full system restart.
This analysis is based on publicly available vulnerability data and Linux kernel source information current as of the published date. Specific patch versions, affected kernel releases, and vendor advisory details should be verified against official security bulletins from your Linux distribution and Intel. CVSS scores represent base vulnerability severity and do not account for organization-specific risk factors, network segmentation, or compensating controls. Refer to NIST guidelines and vendor advisories for authoritative mitigation and patch information. This document does not constitute security advice; consult your organization's security team or a qualified security professional for deployment decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference
- CVE-2026-46233MEDIUMLinux Kernel Batman-adv Null Pointer Dereference Denial of Service