CVE-2026-46310: Linux Renesas VSP1 NULL Pointer Dereference on Module Unload
A flaw in the Linux kernel's Renesas VSP1 media driver causes a system crash when the module is unloaded on certain hardware generations. The bug stems from cleanup code calling the wrong function variant, leaving a dangling pointer that triggers a crash. This affects local users with module unload privileges and requires a kernel patch to resolve.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: media: renesas: vsp1: Fix NULL pointer deref on module unload When unloading the module on gen 4, we hit a NULL pointer dereference. This is caused by the cleanup code calling vsp1_drm_cleanup() where it should be calling vsp1_vspx_cleanup(). Fix this by checking the IP version and calling the drm or vspx function accordingly, the same way as the init code does.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46310 is a NULL pointer dereference in the Renesas VSP1 (Video Signal Processor) driver within the Linux kernel media subsystem. During module unload on generation 4 hardware, the cleanup routine incorrectly invokes vsp1_drm_cleanup() instead of the appropriate vsp1_vspx_cleanup() function. The root cause is a mismatch between initialization and cleanup logic: the init code properly checks IP version and calls the correct function, but the unload path does not. This inconsistency leaves a NULL or invalid pointer in memory, which is dereferenced during cleanup, causing a kernel panic. The vulnerability is classified as CWE-476 (NULL Pointer Dereference).
Business impact
This vulnerability primarily affects system availability and uptime. Affected systems will experience kernel crashes when unloading the VSP1 driver module, disrupting video processing workloads and requiring manual intervention to restore service. For organizations using Renesas-based SoCs with VSP1 hardware—particularly in automotive, embedded systems, or specialized video processing roles—unplanned downtime can impact critical operations. The local-only attack vector limits exposure to users with direct system access, reducing the blast radius compared to remote vulnerabilities.
Affected systems
The vulnerability affects the Linux kernel with specific impact on systems using Renesas VSP1 hardware, particularly generation 4 variants. Any distribution or embedded Linux system shipping the vulnerable kernel code and supporting VSP1 module unload is affected. This includes automotive platforms, embedded media servers, and specialized video processing devices built on Renesas SoCs. The exact kernel versions containing this flaw should be verified against vendor release notes and the Linux kernel upstream repository.
Exploitability
Exploitation requires local system access and the ability to unload kernel modules, typically restricted to privileged users (root or those with CAP_SYS_MODULE capability). The vulnerability is triggered passively during normal module cleanup—no additional steps or user interaction are needed once unload is initiated. Accidental triggering is more likely than deliberate exploitation, as any legitimate module unload sequence will crash the kernel. The CVSS vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects local access and high availability impact with no complexity required.
Remediation
Remediation requires a kernel update that aligns the module unload cleanup path with the initialization logic. The fix involves adding an IP version check in the cleanup code to conditionally call either vsp1_drm_cleanup() or vsp1_vspx_cleanup(), mirroring the approach used during module initialization. This ensures the correct cleanup function is invoked for each hardware generation, preventing the NULL pointer dereference. Users should check their Linux distribution's kernel security advisories for patched versions.
Patch guidance
Obtain and install a kernel update from your Linux distribution that includes the fix for CVE-2026-46310. For upstream Linux kernel users, verify that your kernel version includes the commit resolving this issue by checking the Linux kernel mailing list or upstream repository. Kernel rebuild and reboot are required to apply the patch. Organizations should validate patch deployment in a controlled environment before rolling out to production systems, particularly where VSP1 module unload events are frequent. Consult your vendor's security advisory for specific patched kernel versions and deployment timelines.
Detection guidance
Monitor system logs and kernel panic dumps for crashes occurring during VSP1 module unload operations. Kernel messages will typically show a NULL pointer dereference in vsp1-related code paths. Implement automated log aggregation and alerting on kernel oops or panic messages mentioning 'vsp1' or 'renesas'. On systems where VSP1 modules are regularly loaded and unloaded, enable kernel crash reporting (kdump or similar) to capture detailed state. Security information and event management (SIEM) systems can be configured to flag unexpected kernel crashes as availability anomalies.
Why prioritize this
While this vulnerability carries a MEDIUM CVSS score (5.5), it merits prioritization for systems actively using Renesas VSP1 hardware because availability impact is severe and predictable. The vulnerability is not actively exploited in the wild (KEV status: false) and requires local access, reducing urgency for internet-facing systems. However, embedded and specialized systems dependent on VSP1 for video processing should prioritize patching to prevent operational disruptions. For general-purpose Linux servers without VSP1 hardware, this is a lower-priority patch.
Risk score, explained
The CVSS 3.1 score of 5.5 (MEDIUM) reflects a local attack vector (AV:L) with low complexity (AC:L), requiring low privilege (PR:L), no user interaction (UI:N), and scoped impact limited to the affected system (S:U). The vulnerability has no confidentiality or integrity impact (C:N/I:N) but does cause high availability impact (A:H) through kernel crash. The score appropriately captures the severity for local users while acknowledging the restricted attack surface. However, for Renesas VSP1-dependent systems, the practical impact on business continuity may be higher than the numerical score suggests.
Frequently asked questions
Will this vulnerability affect my Linux system if I don't use Renesas VSP1 hardware?
No, if your system does not have Renesas VSP1 hardware or does not load the VSP1 kernel module, you are not affected by this vulnerability. Confirm by checking your kernel configuration and hardware platform. If the VSP1 module is not present or enabled, the vulnerability cannot be triggered.
Can this vulnerability be exploited remotely or by unprivileged users?
No, this vulnerability requires local system access and module unload privileges (typically requiring root or CAP_SYS_MODULE capability). It cannot be exploited remotely over a network and is not accessible to unprivileged users. Remote attackers cannot trigger this flaw.
What happens if this vulnerability is not patched?
If left unpatched, any legitimate unload of the VSP1 kernel module will trigger a kernel panic and crash the system. This will cause service interruption until the system is rebooted. Repeated unload-crash cycles can disrupt video processing services and complicate maintenance operations.
Is there a workaround if I cannot patch immediately?
A partial mitigation is to avoid unloading the VSP1 module on affected systems by keeping it loaded for the system's operational lifetime. However, this limits flexibility and is not a true fix. Patching is the only reliable remediation and should be scheduled at the earliest practical opportunity.
This analysis is based on publicly available vulnerability data as of July 2026. CVSS scores, affected versions, and KEV status are derived from authoritative sources; verify against vendor advisories for your specific environment. This analysis does not constitute professional security advice. Organizations should conduct their own risk assessment based on their hardware inventory, kernel versions, and operational requirements. For attribution and detailed technical information, consult the Linux kernel upstream repository and your distribution's security advisories. No exploit code or weaponization guidance is provided or intended. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference