HIGH 7.3

CVE-2026-46250: MIPS Linux Kernel Boot Failure – LLVM Compiler Bug

CVE-2026-46250 is a critical initialization failure in the Linux kernel affecting MIPS-based systems. The vulnerability arises from a compiler bug in LLVM versions 18–21 where the compiler incorrectly restores the `$gp` (global pointer) register even when code intentionally modifies it as a global register variable. On MIPS, the kernel uses `$gp` to track the current thread info, and during boot the kernel relocates itself and updates `$gp` accordingly. When LLVM restores the old `$gp` value after this intentional modification, the register points to pre-relocation memory, causing the kernel to crash during the `init_idle` phase of scheduler initialization. This affects MIPS-based systems including Loongson and other MIPS processors, particularly those compiled with affected LLVM versions.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Weaknesses (CWE)
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1], which requires a callee-saved register used as global register variable not to be restored if it's clobbered. As a result, $gp will continue to point to the unrelocated kernel after the epilog of relocate_kernel(), leading to an early crash in init_idle, [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY [ 0.000000] Tainted: [W]=WARN [ 0.000000] Hardware name: loongson,loongson64v-4core-virtio [ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 [ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240 [ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001 [ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002 [ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80 [ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80 [ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90 [ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90 [ 0.000000] Hi : 0000000000000000 [ 0.000000] Lo : 0000000000000000 [ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270 [ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270 [ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL [ 0.000000] Cause : 00000008 (ExcCode 02) [ 0.000000] BadVA : 0000000000000000 [ 0.000000] PrId : 00006305 (ICT Loongson-3) [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) [ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528 [ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000 [ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258 [ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98 [ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270 [ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0 [ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8 This bug has been reported to LLVM[2] and affects version from (at least) 18 to 21. Let's work around this by using inline assembly to assign $gp before a fix is widely available.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is rooted in a semantic disagreement between GCC and LLVM regarding global register variables. In the Linux kernel, `__current_thread_info` is defined as a global register variable assigned to `$gp` on MIPS. During kernel relocation in `relocate_kernel()`, the code intentionally clobbers `$gp` by assigning it a new address pointing to the relocated kernel. GCC respects this: per its documentation, a callee-saved register used as a global register variable should not be automatically restored if the code clobbers it. LLVM, however, does not follow this behavior and automatically restores `$gp` in the function epilog, regardless of whether it was intentionally modified. This causes `$gp` to retain its pre-relocation value. Subsequently, when `init_idle` executes and attempts to dereference memory through the stale `$gp`, a page fault occurs at address 0x0000000000000000, with the instruction pointer at `ffffffff81afada8` in the `init_idle+0x130/0x270` function. The crash manifests as 'CPU Unable to handle kernel paging request.'

Business impact

Systems relying on MIPS-based Linux deployments compiled with LLVM 18–21 will experience kernel panic during boot, rendering machines entirely non-functional. This affects data center environments, embedded systems, and specialized computing platforms using MIPS processors (such as Loongson systems). Organizations cannot boot affected systems, preventing normal operations, access to data, or service delivery. The impact is equivalent to a complete denial of service at the firmware/kernel level, with no workaround possible without recompilation or kernel updates.

Affected systems

The Linux kernel on MIPS architectures is affected when compiled with LLVM versions 18 through 21. This includes Loongson-based systems (such as Loongson 3 variants) and other MIPS processors. Systems compiled with GCC are unaffected. x86, ARM, and other non-MIPS architectures are not impacted. The vulnerability only manifests at boot time, so only systems undergoing initialization (new deployments, reboots, or updates) experience the failure.

Exploitability

This is a compiler-induced kernel bug rather than a traditional exploitable vulnerability. There is no remote attack vector; the issue triggers automatically during kernel boot on affected systems. An attacker cannot trigger this remotely or from userspace. However, anyone with the ability to rebuild or recompile the kernel using LLVM 18–21 on MIPS will inevitably produce broken binaries. The severity arises from its guaranteed triggering during initialization, not from attacker-controlled exploit conditions.

Remediation

Organizations have two primary paths: (1) Recompile the Linux kernel using GCC instead of LLVM, or (2) if LLVM must be used, wait for LLVM versions 22+ or a backported fix. The Linux kernel community has resolved this by using inline assembly to explicitly assign `$gp` in a way that prevents LLVM from restoring it, effectively working around the compiler bug. Systems already running stable kernels compiled with unaffected toolchains need no action.

Patch guidance

Apply Linux kernel updates that include the workaround commit addressing this issue. The fix uses inline assembly to reassign `$gp` in a manner that LLVM cannot optimize away or restore. Verify your kernel build against the vendor advisory to confirm the patch is included. For MIPS systems currently unable to boot, either: (a) recompile the kernel with an unaffected compiler version, or (b) boot with an older kernel build until patched versions are available. Users should check their distribution's kernel release notes to confirm the fix is integrated.

Detection guidance

Monitor kernel boot logs for the specific panic pattern: 'CPU Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8' occurring during `init_idle` or early scheduler initialization. Check the kernel build environment to identify whether LLVM 18–21 was used. Inspect kernel image metadata or build logs to determine compiler version. Systems that fail to boot immediately after a kernel update or compilation should be cross-checked against their toolchain version. Continuous integration pipelines should validate MIPS kernel builds using only GCC or patched LLVM versions.

Why prioritize this

Although this is not a traditional remote or privilege-escalation vulnerability, it deserves high priority because it causes complete system unavailability on affected deployments. Any MIPS-based system compiled with LLVM 18–21 cannot boot at all. For organizations running Loongson or other MIPS infrastructure, this is a critical operational blocker. The CVSS 7.3 (HIGH) score reflects the impact (availability and integrity loss) and the certainty of exploitation (guaranteed at boot), though it is not remotely exploitable. Priority should be elevated if your environment uses MIPS processors; it can be deprioritized if your infrastructure is exclusively x86 or ARM-based.

Risk score, explained

The CVSS 7.3 score reflects: Attack Vector Local (AV:L)—the vulnerability only manifests during local kernel initialization, not remotely; Attack Complexity Low (AC:L)—any boot attempt triggers it; Privileges Required None (PR:N)—no privilege escalation is needed; User Interaction None (UI:N)—it happens automatically; Scope Unchanged (S:U); Confidentiality Low (C:L) and Integrity Low (I:L)—corrupted memory state leaks some data; Availability High (A:H)—the system is completely unavailable. The high availability impact and guaranteed triggering justify the HIGH severity, despite the local-only attack surface.

Frequently asked questions

Does this affect my Linux system if I'm using x86 or ARM processors?

No. This vulnerability is specific to MIPS-based systems. The issue stems from how the MIPS kernel uses the `$gp` register for thread info tracking, which is not applicable to x86, ARM, or other architectures. If your infrastructure uses x86, ARM, or other non-MIPS processors, you are not affected.

I'm running MIPS Linux, but my system boots fine. Should I be concerned?

You are likely safe if your kernel was compiled with GCC or with LLVM version 17 or earlier, or version 22+. The vulnerability only manifests with LLVM versions 18–21. Check your kernel build information (available via `uname -a` or kernel image metadata) to confirm which compiler was used. If you are unsure, contact your distribution or system vendor.

What is the quickest fix if my MIPS system is already failing to boot?

The immediate workaround is to boot using an older, working kernel build or to recompile the kernel with GCC. Longer-term, update the Linux kernel to a patched version that includes the LLVM compiler bug workaround. Check with your Linux distribution for available kernel updates addressing CVE-2026-46250.

Why does LLVM behave differently from GCC on this issue?

LLVM and GCC have different interpretations of how global register variables should be handled in callee-saved registers. GCC follows its documentation and respects intentional clobbering of such registers; LLVM does not. This is a bug in LLVM, reported to the LLVM project, and is expected to be fixed in future versions. The Linux kernel community has worked around it in the meantime using inline assembly.

This analysis is based on publicly available vulnerability data as of June 2026. CVSS scores, vendor advisories, and patch availability are subject to change. Organizations should verify patch releases against vendor security bulletins and test in non-production environments before deployment. The vulnerability description and technical details are derived from Linux kernel community reports and LLVM bug tracking systems. No exploit code or proof-of-concept is provided. This document is for informational purposes and does not constitute security advice or a substitute for professional security assessment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).