MEDIUM 5.5

CVE-2026-46284: Linux Kernel Hugepages Parameter Parsing NULL Pointer Dereference

A defect in the Linux kernel's hugepages parameter parsing can cause the system to crash during early boot if certain kernel command-line parameters are malformed. Specifically, if hugepages, hugepagesz, or default_hugepagesz parameters are supplied without an equals sign (e.g., 'hugepages 1G' instead of 'hugepages=1G'), the kernel's early parameter handler passes a NULL pointer to the hugetlb_add_param() function, which then crashes when attempting to measure the string length. The fix validates input before processing and rejects malformed parameters gracefully.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-08 / 2026-07-08

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix early boot crash on parameters without '=' separator If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. Reject NULL values in hugetlb_add_param() and return -EINVAL instead.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the hugetlb subsystem's parameter initialization code. During kernel boot, the early parameter parser tokenizes kernel command-line arguments. When a parameter lacks the '=' separator, the value pointer becomes NULL. The hugetlb_add_param() function was not checking for NULL before calling strlen() on this pointer, triggering a null pointer dereference and kernel panic. The resolution involves adding a NULL check at the function entry point and returning -EINVAL to signal invalid input, allowing boot to proceed or fail gracefully with a clear error rather than a crash. This is classified as a CWE-476 null pointer dereference vulnerability.

Business impact

This vulnerability can prevent systems from booting if an administrator inadvertently misformats hugepages configuration on the kernel command line—a realistic scenario in large-memory deployments where hugepages are heavily used. Affected deployments would experience unplanned downtime and potential data loss if in-flight operations are interrupted. The impact is limited to local attack surface and requires administrative access to configure boot parameters, but the boot failure itself is a denial-of-service condition affecting availability.

Affected systems

The Linux kernel across all architectures and distributions is affected. Systems that rely on hugepages for performance-critical workloads (databases, in-memory caches, HPC clusters) and those where kernel command-line configuration is managed via automation or configuration management tools are at higher risk of exposure to misconfigured parameters.

Exploitability

Exploitability requires local administrative or bootloader-level access to inject malformed kernel parameters. The flaw cannot be triggered remotely. While the severity is MEDIUM (CVSS 5.5), the practical risk depends on operational discipline and automation controls around kernel parameter management. Accidental misconfiguration is the most likely trigger rather than deliberate exploitation.

Remediation

Apply the Linux kernel patch that adds NULL value validation to hugetlb_add_param(). The fix is minimal and low-risk: a simple NULL check followed by -EINVAL return, preventing the dereference. Verify the patch version against the official Linux kernel repository or your distribution's advisory; most stable and long-term support kernels should issue updates. For systems using hugepages in production, prioritize testing in non-production environments before deploying to boot-critical infrastructure.

Patch guidance

Check the Linux kernel's official git repository and your distribution's security advisories for patches addressing this early hugepages parameter validation. Kernel version numbers vary by distribution; cross-reference against Red Hat, Canonical, SUSE, or other vendor advisories as applicable to your environment. Most distributions patch this through their regular kernel updates. Verify that patches address the specific hugetlb_add_param() NULL check. Test the patched kernel in a staging environment, particularly if hugepages are configured on your kernel command line.

Detection guidance

Review kernel command-line parameters across your infrastructure for malformed hugepages, hugepagesz, or default_hugepagesz entries (those missing '=' separators). Audit bootloader configurations and any infrastructure-as-code templates or automation that generates kernel parameters. Monitor system logs for early boot failures or kernel panics correlated with recent configuration changes. On patched systems, failed parameter parsing will log a clear error (EINVAL) rather than causing a silent crash.

Why prioritize this

Prioritize this vulnerability if you operate large-memory systems using hugepages and manage kernel parameters through automation or configuration management. The risk is elevated in environments with complex boot configurations, shared infrastructure templates, or where parameter configuration is not consistently validated before deployment. Systems with mature change control and parameter validation processes face lower risk. Boot-availability requirements in your environment should drive prioritization.

Risk score, explained

The CVSS 5.5 MEDIUM score reflects a local attack vector requiring privileged access (PR:L), no user interaction, and high impact on availability (A:H) with no confidentiality or integrity risk. The score appropriately captures the operational severity of a boot-time denial of service, balanced against the access requirement. Organizations should not let the MEDIUM label diminish attention to boot availability—this is a practical availability risk in production settings.

Frequently asked questions

Can this vulnerability be exploited remotely?

No. The vulnerability requires local administrative or bootloader-level access to modify kernel command-line parameters. Remote attackers cannot trigger this flaw.

Does this affect systems that do not use hugepages?

Only if hugepages parameters are erroneously configured on the kernel command line. Systems that do not use hugepages at all are not affected by this specific issue, though they should still apply kernel updates for other security and stability reasons.

Will a patched kernel prevent this misconfiguration or just handle it gracefully?

The patch prevents the crash by validating input and returning an error instead of dereferencing a NULL pointer. The misconfigured parameter will be rejected with an error message, allowing the kernel to continue booting. Users must still correct the command-line syntax to enable hugepages functionality.

What is the recommended testing approach for the patch?

Test the patched kernel in a non-production environment that mirrors your hugepages configuration, including any automated bootloader parameter generation. Verify normal hugepages functionality with correctly formatted parameters, and confirm that malformed parameters produce clear error messages without crashing.

This analysis is based on the vulnerability description and CVSS assessment provided as of the publication date. Specific patch versions, affected kernel versions, and distribution-specific guidance should be verified against official Linux kernel repositories and vendor security advisories. CVSS scores represent technical severity but do not account for organizational context, threat landscape, or compensating controls. Security teams should conduct their own risk assessment based on their infrastructure and operational requirements. This explainer does not constitute security advice and is provided for informational purposes only. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).