CVE-2026-46269: Linux Kernel K230 Pinctrl NULL Pointer Dereference DoS
A NULL pointer dereference vulnerability exists in the Linux kernel's Canaan K230 pinctrl driver. During device initialization, the driver attempts to access a device structure through an uninitialized pointer, causing the kernel to crash. The issue occurs because the code tries to retrieve the device reference via a control structure that hasn't been set up yet. An attacker with local access could trigger this crash by loading the affected driver or probing the device, leading to a denial of service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree When probing the k230 pinctrl driver, the kernel triggers a NULL pointer dereference. The crash trace showed: [ 0.732084] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068 [ 0.740737] ... [ 0.776296] epc : k230_pinctrl_probe+0x1be/0x4fc In k230_pinctrl_parse_functions(), we attempt to retrieve the device pointer via info->pctl_dev->dev, but info->pctl_dev is only initialized after k230_pinctrl_parse_dt() completes. At the time of DT parsing, info->pctl_dev is still NULL, leading to the invalid dereference of info->pctl_dev->dev. Use the already available device pointer from platform_device instead of accessing through uninitialized pctl_dev.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46269 is a NULL pointer dereference (CWE-476) in the k230_pinctrl_parse_functions() routine of the Linux kernel's Canaan K230 pinctrl driver. The vulnerability stems from a use-before-initialization flaw where info->pctl_dev is dereferenced during devicetree parsing, before it has been initialized by k230_pinctrl_probe(). Specifically, the code attempts to access info->pctl_dev->dev at a point when info->pctl_dev is still NULL. The fix involves using the already-available device pointer from the platform_device structure instead of relying on the uninitialized pctl_dev member. The kernel NULL pointer dereference at virtual address 0x68 is caught by the CPU's memory protection mechanism, triggering an oops and halting the affected subsystem.
Business impact
This vulnerability presents a local denial-of-service risk to systems using Canaan K230 hardware with the affected Linux kernel version. A local attacker or unprivileged user could crash the pinctrl subsystem during driver probe, potentially affecting system stability or preventing the device from initializing correctly. On devices where pinctrl controls critical I/O functionality, a crash could degrade system operations. However, exploitation requires local access and is not remotely exploitable, limiting the attack surface in typical cloud or managed infrastructure environments.
Affected systems
Systems running Linux kernels that include the Canaan K230 pinctrl driver are affected. This driver is primarily used in systems based on the Canaan K230 SoC. The vulnerability is triggered during the device probe phase, so any system attempting to initialize this driver could be vulnerable if running an unpatched kernel version. Verify your kernel version and whether the k230 pinctrl driver is compiled and loaded on your systems.
Exploitability
Exploitation requires local system access and the ability to trigger driver probe operations. The vulnerability is not remotely exploitable. An attacker with local user privileges could potentially trigger the crash by loading the driver module (if modular) or by probing the device through sysfs interfaces, depending on kernel configuration and security policies. The crash is immediate upon the code path execution, making it a straightforward denial-of-service vector for local adversaries.
Remediation
Apply the kernel patch that corrects the device pointer initialization order in k230_pinctrl_probe(). The fix replaces the uninitialized info->pctl_dev->dev reference with the readily available device pointer from the platform_device structure. Rebuild and deploy the patched kernel. For systems where immediate patching is not feasible, restrict module loading permissions and disable the k230 pinctrl driver if not required for operation.
Patch guidance
Locate and apply the fix commit to your kernel source tree. The patch modifies k230_pinctrl_parse_functions() to use platform_device->dev instead of info->pctl_dev->dev. Verify the fix against the Linux kernel's official repository or your distribution's security advisories for the exact patch version and backport availability for your kernel branch. Rebuild the kernel with the corrected code, test on a non-production system first, and deploy through your standard kernel update process.
Detection guidance
Monitor kernel logs for NULL pointer dereference panics in the k230_pinctrl_probe function, indicated by messages such as 'Unable to handle kernel NULL pointer dereference at virtual address' and 'epc : k230_pinctrl_probe+0x1be'. Check dmesg or system logs during system boot or driver load operations. Use kernel crash dump analysis tools to confirm the crash originates from the pinctrl probe routine. Verify kernel version and confirm whether the k230 pinctrl driver is enabled in the running kernel configuration.
Why prioritize this
While this vulnerability has a CVSS score of 5.5 (MEDIUM severity), it should be prioritized for systems actively using Canaan K230 hardware. The local-only attack vector and denial-of-service impact make it moderately severe. However, because it affects driver initialization and can prevent device functionality, organizations running K230-based embedded or IoT systems should treat it as higher priority. The fix is straightforward and low-risk, making rapid patching feasible.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a local attack vector (AV:L) with low complexity (AC:L), low privileges (PR:L), no user interaction (UI:N), and high availability impact (A:H). The vulnerability does not affect confidentiality or integrity, only availability. The local-only requirement and moderate complexity of triggering the crash keep the score in the MEDIUM range, but the crash occurs deterministically during driver probe, elevating practical risk for affected systems.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2026-46269 requires local system access to trigger. The vulnerability is only reachable during driver probe operations, which occur at boot time or when explicitly loading the driver module as a local user with appropriate permissions.
Which systems are at risk?
Systems running Linux kernels with the Canaan K230 pinctrl driver enabled. This includes embedded systems and IoT devices based on the Canaan K230 SoC. Cloud and enterprise servers typically do not include this driver unless specifically configured for K230 hardware.
What is the impact of this crash?
The crash causes a kernel NULL pointer dereference that triggers a kernel oops, halting the pinctrl subsystem. Depending on system configuration and when the driver is loaded, this could prevent system boot or degrade I/O functionality on the affected SoC.
Is there a workaround if I cannot patch immediately?
Workarounds are limited. If the k230 pinctrl driver can be disabled in the kernel configuration without affecting system operation, recompile the kernel without it. Alternatively, restrict driver loading permissions to prevent local users from triggering the probe.
This analysis is provided for informational purposes. The vulnerability details, affected versions, and patch availability are based on the published CVE record and kernel repository as of the analysis date. Always verify patch versions and applicability against your specific kernel branch and distribution's security advisories before deployment. Test patches in a non-production environment. This document does not constitute legal or compliance advice. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference