MEDIUM 5.5

CVE-2026-46257: Linux SP804 Timer Kernel Panic on ARM32 – Patch & Detection

A flaw in the Linux kernel's SP804 timer driver can cause the system to crash when certain timing functions are called on ARM32 platforms. The issue arises when the SP804 timer is configured in a way that leaves a shared clock object uninitialized, but the kernel still tries to read from it. This vulnerability has been fixed by separating the delay timer functionality into its own dedicated clock instance, preventing the kernel from attempting to access uninitialized memory.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-908
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock. On SP804, the delay timer shares the same clkevt instance with sched_clock. On some platforms, when sp804_clocksource_and_sched_clock_init is called with use_sched_clock not set to 1, sched_clkevt is not properly initialized. However, sp804_register_delay_timer is invoked unconditionally, and read_current_timer() subsequently calls sp804_read on an uninitialized sched_clkevt, leading to a kernel Oops when accessing sched_clkevt->value. Declare a dedicated clkevt instance exclusively for delay timer, instead of sharing the same clkevt with sched_clock. This ensures that read_current_timer continues to work correctly regardless of whether SP804 is selected as the sched_clock.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46257 is a null/uninitialized pointer dereference vulnerability in the Linux kernel's SP804 clocksource driver (clocksource/drivers/timer-sp804). The vulnerability occurs in the delay timer initialization path on ARM32 architectures. When sp804_clocksource_and_sched_clock_init is invoked with use_sched_clock set to 0, the sched_clkevt structure is not properly initialized. However, sp804_register_delay_timer is called unconditionally, and any subsequent invocation of read_current_timer() triggers a call to sp804_read, which attempts to dereference sched_clkevt->value on the uninitialized structure, resulting in a kernel Oops. The fix involves creating a dedicated clkevt instance for the delay timer rather than sharing the sched_clock clkevt, ensuring the delay timer path remains functional regardless of sched_clock configuration.

Business impact

This vulnerability primarily affects ARM32-based embedded and IoT systems running vulnerable Linux kernels. While the immediate impact is limited to kernel availability (causing a crash), any system relying on udelay or similar kernel delay functions could experience an unplanned reboot or hang. For production environments running ARM32 Linux—particularly in networking equipment, industrial controllers, or other embedded deployments—the vulnerability poses an availability risk that could disrupt operations.

Affected systems

Affected systems are limited to Linux kernel deployments on ARM32 architectures where the SP804 timer is present. This includes certain ARM Cortex-A based processors and legacy ARM platforms that use the Dual Timer Module (SP804). Notably, ARM64 systems and ARM32 systems not using SP804 are unaffected. The vulnerability does not impact x86, x86_64, or other non-ARM architectures. Systems where SP804 is configured as the sched_clock may not trigger the condition, making exploitation context-dependent.

Exploitability

Exploitation requires local access to the affected system and the ability to trigger code that invokes read_current_timer (typically through delay timer functions called by kernel drivers or user-space code via /dev/mem or similar interfaces). The vulnerability is not remotely exploitable. However, any local user with sufficient privileges to trigger delay timer operations could potentially cause a kernel panic. The attack surface is moderate for typical embedded systems, where local access is restricted, but higher in development environments or systems allowing unprivileged user access to timing functions.

Remediation

The vulnerability is resolved by patching the Linux kernel with commits that implement a dedicated delay timer clkevt instance. Organizations should update to a patched kernel version released after 2026-06-17. Verify the specific kernel version containing the fix against your Linux distribution's security advisory, as backport availability varies. Interim mitigation on ARM32 systems may involve disabling SP804 as the sched_clock source if alternative timing sources are available, though this should be validated for functionality before deployment.

Patch guidance

Apply the latest Linux kernel security update provided by your distribution (Red Hat, Debian, Ubuntu, Canonical, etc.). For systems building custom kernels, cherry-pick or backport commits that restructure the SP804 delay timer initialization to use a dedicated clkevt instance. Verify in your kernel's clocksource/drivers/timer-sp804.c that sched_clkevt and the delay timer clock instance are no longer shared. Test the patch on representative ARM32 hardware to confirm delay timer and sched_clock functionality before deploying to production.

Detection guidance

Monitor system logs for kernel Oops messages containing 'sp804_read' or references to sched_clkevt in the call stack on ARM32 systems. Use kernel crash dumps (kdump) to identify the fault address if a panic occurs. In development or test environments, enable kernel CONFIG_ARM_SP804_TIMER and observe whether udelay or similar functions trigger NULL pointer dereferences. Additionally, inspect your running kernel version against your distribution's security bulletins to confirm whether the patch has been applied.

Why prioritize this

Although rated MEDIUM severity (CVSS 5.5) due to local-only access and denial-of-service impact, this vulnerability should be prioritized for ARM32 deployments because it directly causes system unavailability. Any ARM32 Linux infrastructure—industrial controls, networking appliances, IoT devices—relying on SP804 timers should be patched promptly to prevent unexpected downtime. Organizations without ARM32 systems can deprioritize this fix.

Risk score, explained

The CVSS 3.1 score of 5.5 reflects a MEDIUM severity: the vulnerability requires local access (AV:L), is unconditionally present in affected configurations (AC:L), demands no special privileges beyond local user level (PR:L), is not user-interaction dependent (UI:N), does not escape sandbox/user context (S:U), and causes availability impact (A:H) but no confidentiality or integrity compromise (C:N, I:N). The score appropriately weights the denial-of-service nature against the local-only attack surface.

Frequently asked questions

Is this vulnerability exploitable remotely?

No. Exploitation requires local access to the system and the ability to trigger delay timer functions. Remote attackers cannot exploit this vulnerability.

Do ARM64 systems require patching?

No. This vulnerability is specific to ARM32 architectures using the SP804 timer. ARM64 systems and architectures other than ARM are unaffected.

What is the practical impact of this bug?

A kernel panic or hang triggered by delay timer operations. In embedded systems, this could cause unexpected reboots or loss of availability until the system is patched and restarted.

Can I work around this without patching the kernel?

Possible mitigations include disabling SP804 as the sched_clock source if alternative timing sources are available, or restricting local access to delay timer functions. However, a kernel patch is the definitive fix.

This analysis is provided for informational purposes by SEC.co. The vulnerability details, CVSS score, and affected products are derived from official Linux kernel advisories and CVE records published as of the modification date. Actual patch availability, version numbers, and distribution-specific remediation timelines may vary; consult your operating system vendor's security bulletin for definitive guidance. No exploit code is included herein. Organizations are advised to validate patches in non-production environments before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and disclaims liability for any damages resulting from its use or misuse. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).