CVE-2026-46261: Linux Kernel wpcm-fiu NULL Pointer Dereference DoS Vulnerability
A vulnerability in the Linux kernel's SPI WPC flash interface unit driver can cause the system to crash due to a missing safety check. When the driver initializes, it attempts to access memory resources without first verifying they exist, potentially leading to a NULL pointer dereference that brings down the affected process or system. This is a localized denial-of-service issue requiring local system access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe() platform_get_resource_byname() can return NULL, which would cause a crash when passed the pointer to resource_size(). Move the fiu->memory_size assignment after the error check for devm_ioremap_resource() to prevent the potential NULL pointer dereference.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46261 is a NULL pointer dereference vulnerability (CWE-476) in the wpcm-fiu SPI flash interface unit driver within the Linux kernel. The wpcm_fiu_probe() function calls platform_get_resource_byname() to retrieve a memory resource, but fails to validate the returned pointer before passing it to resource_size() and subsequently dereferencing it in devm_ioremap_resource(). The remediation involves reordering the NULL check for devm_ioremap_resource() to occur before assignment of fiu->memory_size, ensuring no invalid pointer operations occur.
Business impact
Organizations relying on Linux systems with the WPCM flash interface unit hardware will experience kernel crashes or process termination when the driver attempts to probe, potentially affecting boot sequences or runtime stability. This is particularly relevant for embedded systems and IoT devices using this specific SPI hardware. The impact is limited to denial of service—no data integrity compromise or privilege escalation occurs. Recovery requires system restart or driver reload once patched.
Affected systems
The vulnerability affects Linux kernel systems with the wpcm-fiu SPI driver enabled and the corresponding WPC flash interface unit hardware present. This is primarily found in embedded and IoT deployments using Nuvoton WPC (Web Pack Controller) SoCs. Desktop and server Linux distributions without this hardware are unaffected.
Exploitability
Exploitation requires local system access (privilege level: low user/unprivileged) to trigger the probe function, typically during driver initialization at boot or manual module load. No network access, elevated privileges, or user interaction is necessary once local access is gained. The vulnerability cannot be triggered remotely. The crash is reliable and deterministic when conditions are met.
Remediation
Apply a kernel update that includes the fix reordering the NULL pointer check in wpcm_fiu_probe(). Verify the patch against your Linux distribution's vendor advisory for the specific kernel version you are running. As an interim mitigation, disable the wpcm-fiu driver if your system does not require WPC flash interface support.
Patch guidance
Consult your Linux distribution (kernel.org, Ubuntu, RHEL, Debian, etc.) for updated kernel packages addressing CVE-2026-46261. Verify the patch has been included in your kernel version by checking the git commit logs or release notes. For embedded systems integrating custom kernel builds, apply the upstream fix directly to your kernel source tree and recompile. Test the updated kernel in a non-production environment before deployment to confirm hardware probe success and stability.
Detection guidance
Monitor kernel logs for wpcm-fiu driver probe failures and NULL pointer dereference kernel panics. Use 'dmesg' or systemd journal to check for crash messages indicating the SPI driver failed during initialization. Verify driver loading with 'lsmod | grep wpcm' and confirm hardware presence via 'lspci' or device tree inspection on ARM systems. Security monitoring tools should flag kernel oops or panic events during system boot or driver reload attempts.
Why prioritize this
This vulnerability should be prioritized for systems actively using WPC flash interface hardware. Although the CVSS score is moderate (5.5) and no exploitation appears in the wild, the guaranteed denial-of-service impact and boot-time triggering make it a stability concern for affected deployments. Organizations with embedded/IoT infrastructure using Nuvoton SoCs should treat this as near-term (within 30 days). Broader Linux server and desktop environments are typically unaffected and can follow standard patch cycles.
Risk score, explained
The CVSS v3.1 score of 5.5 (MEDIUM) reflects a local attack vector requiring low privileges, no user interaction, and no network component. The impact is high for availability (denial of service) but none for confidentiality or integrity. The score appropriately captures that only systems with specific hardware and local access can be affected, preventing a higher severity rating despite the guaranteed DoS outcome.
Frequently asked questions
Will this vulnerability impact my Linux server if I don't have Nuvoton WPC hardware installed?
No. The vulnerability is specific to the wpcm-fiu SPI driver and only manifests when that driver probes for compatible hardware. If your server does not use Nuvoton WPC flash controllers, the code path is never executed and you are not at risk.
Can this vulnerability be exploited remotely?
No. Exploitation requires local system access to trigger driver initialization. Remote attackers cannot cause the NULL pointer dereference without first gaining local code execution on the target system.
What is the practical impact of this vulnerability?
The impact is denial of service. When triggered, the crash terminates the driver initialization and can prevent system boot or cause a kernel panic, depending on when the probe occurs. There is no data theft, system compromise, or privilege escalation.
How do I know if I need to patch this?
If your system uses Nuvoton WPC embedded flash storage (common in certain IoT and embedded devices), you should apply the patch. Check your hardware specifications or use 'lspci' and 'lsmod' to confirm the presence of wpcm-fiu hardware and driver.
This analysis is based on the published CVE description and does not reflect real-world exploitation status or patch availability timelines. Patch version numbers and release dates should be verified against official Linux distribution advisories and kernel.org. This vulnerability does not appear in the CISA KEV catalog as of the analysis date. Organizations should test all kernel updates in non-production environments before production deployment. SEC.co does not provide exploit code or detailed proof-of-concept instructions for vulnerabilities. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference