MEDIUM 5.5

CVE-2026-46261: Linux Kernel wpcm-fiu NULL Pointer Dereference DoS Vulnerability

A vulnerability in the Linux kernel's SPI WPC flash interface unit driver can cause the system to crash due to a missing safety check. When the driver initializes, it attempts to access memory resources without first verifying they exist, potentially leading to a NULL pointer dereference that brings down the affected process or system. This is a localized denial-of-service issue requiring local system access to trigger.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe() platform_get_resource_byname() can return NULL, which would cause a crash when passed the pointer to resource_size(). Move the fiu->memory_size assignment after the error check for devm_ioremap_resource() to prevent the potential NULL pointer dereference.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46261 is a NULL pointer dereference vulnerability (CWE-476) in the wpcm-fiu SPI flash interface unit driver within the Linux kernel. The wpcm_fiu_probe() function calls platform_get_resource_byname() to retrieve a memory resource, but fails to validate the returned pointer before passing it to resource_size() and subsequently dereferencing it in devm_ioremap_resource(). The remediation involves reordering the NULL check for devm_ioremap_resource() to occur before assignment of fiu->memory_size, ensuring no invalid pointer operations occur.

Business impact

Organizations relying on Linux systems with the WPCM flash interface unit hardware will experience kernel crashes or process termination when the driver attempts to probe, potentially affecting boot sequences or runtime stability. This is particularly relevant for embedded systems and IoT devices using this specific SPI hardware. The impact is limited to denial of service—no data integrity compromise or privilege escalation occurs. Recovery requires system restart or driver reload once patched.

Affected systems

The vulnerability affects Linux kernel systems with the wpcm-fiu SPI driver enabled and the corresponding WPC flash interface unit hardware present. This is primarily found in embedded and IoT deployments using Nuvoton WPC (Web Pack Controller) SoCs. Desktop and server Linux distributions without this hardware are unaffected.

Exploitability

Exploitation requires local system access (privilege level: low user/unprivileged) to trigger the probe function, typically during driver initialization at boot or manual module load. No network access, elevated privileges, or user interaction is necessary once local access is gained. The vulnerability cannot be triggered remotely. The crash is reliable and deterministic when conditions are met.

Remediation

Apply a kernel update that includes the fix reordering the NULL pointer check in wpcm_fiu_probe(). Verify the patch against your Linux distribution's vendor advisory for the specific kernel version you are running. As an interim mitigation, disable the wpcm-fiu driver if your system does not require WPC flash interface support.

Patch guidance

Consult your Linux distribution (kernel.org, Ubuntu, RHEL, Debian, etc.) for updated kernel packages addressing CVE-2026-46261. Verify the patch has been included in your kernel version by checking the git commit logs or release notes. For embedded systems integrating custom kernel builds, apply the upstream fix directly to your kernel source tree and recompile. Test the updated kernel in a non-production environment before deployment to confirm hardware probe success and stability.

Detection guidance

Monitor kernel logs for wpcm-fiu driver probe failures and NULL pointer dereference kernel panics. Use 'dmesg' or systemd journal to check for crash messages indicating the SPI driver failed during initialization. Verify driver loading with 'lsmod | grep wpcm' and confirm hardware presence via 'lspci' or device tree inspection on ARM systems. Security monitoring tools should flag kernel oops or panic events during system boot or driver reload attempts.

Why prioritize this

This vulnerability should be prioritized for systems actively using WPC flash interface hardware. Although the CVSS score is moderate (5.5) and no exploitation appears in the wild, the guaranteed denial-of-service impact and boot-time triggering make it a stability concern for affected deployments. Organizations with embedded/IoT infrastructure using Nuvoton SoCs should treat this as near-term (within 30 days). Broader Linux server and desktop environments are typically unaffected and can follow standard patch cycles.

Risk score, explained

The CVSS v3.1 score of 5.5 (MEDIUM) reflects a local attack vector requiring low privileges, no user interaction, and no network component. The impact is high for availability (denial of service) but none for confidentiality or integrity. The score appropriately captures that only systems with specific hardware and local access can be affected, preventing a higher severity rating despite the guaranteed DoS outcome.

Frequently asked questions

Will this vulnerability impact my Linux server if I don't have Nuvoton WPC hardware installed?

No. The vulnerability is specific to the wpcm-fiu SPI driver and only manifests when that driver probes for compatible hardware. If your server does not use Nuvoton WPC flash controllers, the code path is never executed and you are not at risk.

Can this vulnerability be exploited remotely?

No. Exploitation requires local system access to trigger driver initialization. Remote attackers cannot cause the NULL pointer dereference without first gaining local code execution on the target system.

What is the practical impact of this vulnerability?

The impact is denial of service. When triggered, the crash terminates the driver initialization and can prevent system boot or cause a kernel panic, depending on when the probe occurs. There is no data theft, system compromise, or privilege escalation.

How do I know if I need to patch this?

If your system uses Nuvoton WPC embedded flash storage (common in certain IoT and embedded devices), you should apply the patch. Check your hardware specifications or use 'lspci' and 'lsmod' to confirm the presence of wpcm-fiu hardware and driver.

This analysis is based on the published CVE description and does not reflect real-world exploitation status or patch availability timelines. Patch version numbers and release dates should be verified against official Linux distribution advisories and kernel.org. This vulnerability does not appear in the CISA KEV catalog as of the analysis date. Organizations should test all kernel updates in non-production environments before production deployment. SEC.co does not provide exploit code or detailed proof-of-concept instructions for vulnerabilities. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).