MEDIUM 5.5

CVE-2026-46278: Linux PowerVR Kernel NULL Pointer DoS Vulnerability

A null pointer dereference vulnerability exists in the Linux kernel's Imagination PowerVR graphics driver. When a local user attempts to update ftrace debug settings through a debugfs interface, the driver passes incorrect data to the operation, causing the kernel to crash. This is a stability issue rather than a data breach or privilege escalation risk—an authenticated local user can trigger a denial of service condition.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
2 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix segfault when updating ftrace mask Fix invalid data access by passing right data for debugfs entry. [ 171.549793] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 171.559248] Mem abort info: [ 171.562173] ESR = 0x0000000096000044 [ 171.566227] EC = 0x25: DABT (current EL), IL = 32 bits [ 171.573108] SET = 0, FnV = 0 [ 171.576448] EA = 0, S1PTW = 0 [ 171.579745] FSC = 0x04: level 0 translation fault [ 171.584760] Data abort info: [ 171.588012] ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 [ 171.593734] CM = 0, WnR = 1, TnD = 0, TagAccess = 0 [ 171.598962] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 171.604471] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000083837000 [ 171.611358] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 [ 171.618500] Internal error: Oops: 0000000096000044 [#1] SMP [ 171.624222] Modules linked in: powervr drm_shmem_helper drm_gpuvm... [ 171.656580] CPU: 0 UID: 0 PID: 549 Comm: bash Not tainted 7.0.0-rc2-g730b257ba723-dirty #13 PREEMPT [ 171.665773] Hardware name: BeagleBoard.org BeaglePlay (DT) [ 171.671296] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 171.678306] pc : pvr_fw_trace_mask_set+0x78/0x154 [powervr] [ 171.683959] lr : pvr_fw_trace_mask_set+0x4c/0x154 [powervr] [ 171.689593] sp : ffff8000835ebb90 [ 171.692929] x29: ffff8000835ebc00 x28: ffff000005c60f80 x27: 0000000000000000 [ 171.700130] x26: 0000000000000000 x25: ffff00000504af28 x24: 0000000000000000 [ 171.707324] x23: ffff00000504af50 x22: 0000000000000203 x21: 0000000000000000 [ 171.714518] x20: ffff000005c44a80 x19: ffff000005c457b8 x18: 0000000000000000 [ 171.721715] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaaae8887580 [ 171.728908] x14: 0000000000000000 x13: 0000000000000000 x12: ffff8000835ebc30 [ 171.736095] x11: ffff00000504af2a x10: ffff00008504af29 x9 : 0fffffffffffffff [ 171.743286] x8 : ffff8000835ebbf8 x7 : 0000000000000000 x6 : 000000000000002a [ 171.750479] x5 : ffff00000504af2e x4 : 0000000000000000 x3 : 0000000000000010 [ 171.757674] x2 : 0000000000000203 x1 : 0000000000000000 x0 : ffff8000835ebba0 [ 171.764871] Call trace: [ 171.767342] pvr_fw_trace_mask_set+0x78/0x154 [powervr] (P) [ 171.772984] simple_attr_write_xsigned.isra.0+0xe0/0x19c [ 171.778341] simple_attr_write+0x18/0x24 [ 171.782296] debugfs_attr_write+0x50/0x98 [ 171.786341] full_proxy_write+0x6c/0xa8 [ 171.790208] vfs_write+0xd4/0x350 [ 171.793561] ksys_write+0x70/0x108 [ 171.796995] __arm64_sys_write+0x1c/0x28 [ 171.800952] invoke_syscall+0x48/0x10c [ 171.804740] el0_svc_common.constprop.0+0x40/0xe0 [ 171.809487] do_el0_svc+0x1c/0x28 [ 171.812834] el0_svc+0x34/0x108 [ 171.816013] el0t_64_sync_handler+0xa0/0xe4 [ 171.820237] el0t_64_sync+0x198/0x19c [ 171.823939] Code: 32000262 b90ac293 1a931056 9134e293 (b9000036) [ 171.830073] ---[ end trace 0000000000000000 ]---

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46278 is a null pointer dereference in drm/imagination's pvr_fw_trace_mask_set() function. The vulnerability occurs when debugfs attribute write operations invoke this function with improperly initialized or missing context data. The kernel attempts to dereference a null pointer at address 0x0, resulting in a memory abort (ESR 0x96000044, DABT at current privilege level). The call trace shows the fault originates in simple_attr_write_xsigned() → debugfs_attr_write() → vfs_write(), indicating the issue stems from incorrect data structure setup in the debugfs entry definition rather than flawed pointer validation within the function itself.

Business impact

This vulnerability allows a local authenticated attacker to crash the kernel, disrupting GPU-accelerated workloads and system stability. For embedded devices and IoT platforms using PowerVR GPUs (BeaglePlay, similar ARM-based systems), an unpatched kernel becomes vulnerable to availability attacks. However, the impact is limited to local denial of service; there is no remote exploitation, privilege escalation, or data exfiltration risk. Systems in production environments should prioritize stability, making even medium-severity DoS issues worth addressing in maintenance windows.

Affected systems

The vulnerability affects Linux kernels with the Imagination PowerVR DRM driver enabled, particularly on ARM64 systems (evidenced by the crash on BeagleBoard.org BeaglePlay). Any Linux distribution or embedded system that includes drm/imagination support and exposes the PowerVR ftrace debug interface via debugfs is potentially vulnerable. Check your kernel configuration for CONFIG_DRM_POWERVR or equivalent module enablement.

Exploitability

Exploitability is low in terms of barrier to entry but medium in terms of impact scope. An attacker requires local system access and permissions to write to debugfs (typically root or a process with CAP_SYS_ADMIN). There is no special knowledge or complex setup required—writing to the debugfs interface is straightforward. No authentication bypass or privilege escalation is needed to trigger the crash; the vulnerability is exploited simply by writing to the exposed interface. Public exploit code is unlikely to be weaponized for this vector since it does not yield elevated access.

Remediation

Patch the Linux kernel to a fixed version that corrects the debugfs entry initialization. The fix involves ensuring the correct data pointer is passed to the handler function (pvr_fw_trace_mask_set) when the debugfs attribute is written. Users should verify the vendor advisory or kernel changelog for the specific fixed version; typical remediation involves updating to a newer kernel build or applying the patch directly if backporting.

Patch guidance

Apply the Linux kernel patch that resolves the data pointer issue in drm/imagination. The upstream fix ensures the debugfs entry is properly initialized with the correct context structure. Users running long-term support (LTS) kernels should check their distribution's security advisory for a backported patch. If using a custom or vendor kernel, coordinate with your kernel maintainer to obtain and test the fix. Verify the patch is included in any subsequent kernel update before deployment.

Detection guidance

Monitor kernel logs for the specific crash signature: NULL pointer dereference in pvr_fw_trace_mask_set at address 0x0, with Call Trace showing debugfs_attr_write in the stack. Set up alerting on messages matching 'Unable to handle kernel NULL pointer dereference' combined with 'powervr' module mentions. On systems with PowerVR enabled, restrict write access to /sys/kernel/debug/powervr/ and other debug interfaces to authorized users and audit any access attempts via auditd rules.

Why prioritize this

Despite the medium CVSS score (5.5), prioritization should be context-driven. High priority for: (1) embedded/IoT devices in production where stability is critical; (2) systems that cannot tolerate unplanned downtime. Standard priority for: (3) development and test environments. This is not an emergency; the vulnerability requires local access and does not lead to data compromise or privilege escalation. Schedule patching in your regular maintenance window unless the affected system is a critical production GPU compute node.

Risk score, explained

CVSS 3.1 assigns a score of 5.5 (MEDIUM) due to local attack vector (AV:L), low complexity (AC:L), low privilege requirement (PR:L), no user interaction (UI:N), and high availability impact (A:H). The score correctly reflects that exploitation is easy for local users but impact is limited to denial of service with no confidentiality or integrity violation. The score does not account for real-world factors such as the rarity of debugfs write operations or the specificity of PowerVR-equipped systems, which may make the practical risk lower in many environments.

Frequently asked questions

Can this be exploited remotely?

No. This vulnerability requires local system access and the ability to write to a debugfs interface, typically requiring root or CAP_SYS_ADMIN capability. Remote exploitation is not possible.

Will this vulnerability allow someone to steal data or gain root access?

No. The vulnerability causes a kernel crash (denial of service) but does not compromise data confidentiality or allow privilege escalation. An unprivileged attacker cannot exploit this; only local users with write access to debug interfaces are affected.

Which devices are at risk?

Linux systems with the Imagination PowerVR DRM driver enabled, particularly ARM64-based platforms such as BeagleBoard and similar embedded devices. Check if your kernel has CONFIG_DRM_POWERVR enabled and whether /sys/kernel/debug/powervr/ is accessible on your system.

What should I do if I cannot patch immediately?

Restrict write access to debugfs interfaces via file permissions and selinux/apparmor policies. Disable the PowerVR module if GPU support is not required. Monitor kernel logs for the crash signature. Schedule patching in your next maintenance window.

This analysis is based on the published CVE description and kernel crash logs. Patch version information and vendor-specific remediation details should be verified against the official Linux kernel security advisory and your distribution's security bulletins. Testing should be performed in a non-production environment before deploying patches. No exploit code or weaponizable proof-of-concept details are included in this guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).