MEDIUM 5.5

CVE-2026-46282: Linux Kernel admv1013 Driver Null Pointer Dereference DoS

A flaw in the Linux kernel's admv1013 frequency driver can cause the system to crash or become unresponsive. The vulnerability occurs when the driver fails to properly read a configuration setting from the device, but then tries to use that uninitialized data anyway, leading to a null pointer dereference. An unprivileged local user with access to the affected system could trigger this condition to cause a denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: iio: frequency: admv1013: fix NULL pointer dereference on str When device_property_read_string() fails, str is left uninitialized but the code falls through to strcmp(str, ...), dereferencing a garbage pointer. Replace manual read/strcmp with device_property_match_property_string() and consolidate the SE mode enums into a single sequential enum, mapping to hardware register values via a switch consistent with other bitfields in the driver. Several cleanup patches have been applied to this driver recently so this will need a manual backport.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46282 is a null pointer dereference vulnerability in the Linux kernel's admv1013 integrated circuit frequency driver (drivers/iio/frequency/admv1013.c). The vulnerability arises when device_property_read_string() fails to retrieve a device property string, leaving the str variable uninitialized. The code then proceeds to call strcmp(str, ...) on the garbage pointer without checking the function's return status, resulting in undefined behavior and likely kernel panic. The fix consolidates scattered SE mode enum definitions into a single sequential enum and replaces the manual read/strcmp pattern with device_property_match_property_string(), which safely handles both the read operation and string matching in a single atomic call. The driver's recent cleanup history means this patch will require manual backport to older stable kernel branches.

Business impact

Systems running vulnerable Linux kernels with the admv1013 driver loaded may experience unexpected crashes or system hangs triggered by any process that can interact with the affected device. For organizations deploying industrial frequency converters, signal processors, or radio frequency hardware that depend on this driver, unplanned downtime could disrupt operations. The local-only attack vector limits blast radius to compromised or malicious user accounts on directly-accessible systems.

Affected systems

The vulnerability affects the Linux kernel across all versions prior to the fix. Specifically impacted are systems that include the admv1013 frequency converter driver, which is used primarily with Analog Devices ADMV1013 RF gain control and mixing circuits. This typically involves embedded systems, telecommunications equipment, and specialized RF signal processing hardware. Verify your kernel version and whether the admv1013 module is loaded or compiled in via 'lsmod | grep admv1013' or kernel configuration inspection.

Exploitability

Exploitability is straightforward for a local unprivileged user (or any process running with user privileges) on a system where the vulnerable code path can be reached. No special capabilities or complex techniques are required—the crash occurs naturally when the driver attempts to parse device properties, making it trivial to trigger via any mechanism that interacts with the admv1013 device. However, exploitation requires local access and the device must be present and active on the system.

Remediation

Apply the Linux kernel patch that replaces the unsafe manual read/strcmp pattern with device_property_match_property_string(). This requires patching the admv1013 driver source and recompiling the kernel module or full kernel image. Patches must be applied to all affected kernel branches; note that recent driver cleanup changes mean stable kernel backports will not be automatic and require manual integration effort by your distribution or kernel maintenance team.

Patch guidance

Monitor your Linux distribution's security advisories for kernel updates that address CVE-2026-46282. For Red Hat Enterprise Linux, Ubuntu, Debian, SUSE, and other distributions, patch availability and timelines vary; check your vendor's security portal. If you maintain custom kernels, obtain the upstream fix from kernel.org or the Linux kernel stable tree and apply it to your affected branches, verifying the patch aligns with any other recent admv1013 driver modifications in your baseline. Recompile the kernel and reboot after patching. For systems where rebooting is infeasible, evaluate whether the admv1013 driver is actually in use; if not loaded, the vulnerability cannot be exploited and can be deferred until a scheduled maintenance window.

Detection guidance

Monitor kernel logs (dmesg, systemd-journald) for NULL pointer dereference panics or BUG messages referencing admv1013 or device_property_read_string failures. If the system is crashing intermittently without obvious cause and you have admv1013 hardware present, this may be the culprit. Use 'grep -i admv1013 /var/log/kern.log' or equivalent on your log aggregation system. Intrusion detection systems can flag repeated device property access failures followed by crashes, though this is a kernel stability issue rather than a security breach indicator in the traditional sense.

Why prioritize this

While the CVSS score of 5.5 (Medium) reflects the local-only attack vector, the vulnerability warrants timely patching because it causes system unavailability with trivial exploitability. Organizations running admv1013-dependent hardware should prioritize this in their kernel patching cycle, especially in production environments where RF or frequency conversion subsystems are critical to operations. The manual backport requirement adds complexity and delays in stable kernel branches, so early awareness and proactive patch testing are recommended.

Risk score, explained

The CVSS 3.1 score of 5.5 is driven by high availability impact (the crash/denial of service), local attack vector, and low privileges required, but is tempered by the requirement for local access and user-level code execution. The vulnerability does not compromise confidentiality or integrity directly, only availability. In environments where local access is well-controlled, risk is correspondingly lower; in multi-tenant or shared-access systems, risk is higher. The score does not account for the niche nature of the admv1013 driver, which reduces real-world affected population compared to core kernel subsystems.

Frequently asked questions

Is my system vulnerable if I don't have admv1013 hardware installed?

No. The vulnerability only manifests if the admv1013 driver is actively loaded and the device is present. Check with 'lsmod | grep admv1013'. If it does not appear, or if you do not use Analog Devices ADMV1013 RF hardware, you are not vulnerable, though patching your kernel is still a good practice for overall security hygiene.

Can this be exploited remotely?

No. This is a local-only vulnerability requiring direct access to the system and the ability to trigger the driver code path. Network-based remote exploitation is not possible.

Will I experience a crash before or after applying the patch?

You may or may not experience a crash before applying the patch—it depends on whether your workload exercises the device property parsing code path. The vulnerability is latent and only triggered when the affected code is executed. Applying the patch eliminates the latent defect, preventing crashes from occurring at all.

Is this vulnerability tracked in CISA KEV or any active exploit databases?

No. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog and has no publicly known weaponized exploits. This is primarily a kernel stability and robustness issue rather than an active threat vector.

This analysis is provided for informational purposes based on public vulnerability data and is not a substitute for professional security assessment. Patch availability, timeline, and risk in your environment depend on your distribution, kernel version, and hardware configuration. Always test patches in a non-production environment before deployment. Coordinate with your system and hardware teams to confirm admv1013 driver presence and criticality. Consult official vendor advisories from your Linux distribution for authoritative guidance on patch releases and workarounds. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).