CVE-2026-46313: Linux Kernel Intel IPU6 Error Pointer Dereference (CVSS 5.5)
A flaw exists in the Linux kernel's Intel IPU6 media driver where an error-handling code path incorrectly dereferences a pointer that has been marked as invalid (an error pointer). When the driver encounters certain initialization failures during PCI device probing, it attempts to clean up resources but doesn't properly null-check a pointer before using it, leading to a kernel crash. This is a local denial-of-service issue affecting systems running vulnerable kernel versions with the Intel IPU6 driver enabled.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-08
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: media: intel/ipu6: fix error pointer dereference In a error path isp->psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before going to out_ipu6_bus_del_devices. Detected by Smatch: drivers/media/pci/intel/ipu6/ipu6.c:690 ipu6_pci_probe() error: 'isp->psys' dereferencing possible ERR_PTR() [Sakari Ailus: Fix commit message.]
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46313 is a NULL/error pointer dereference vulnerability in drivers/media/pci/intel/ipu6/ipu6.c within the Linux kernel's IPU6 media subsystem. During the ipu6_pci_probe() function's error-handling path, the isp->psys pointer is confirmed by an error-checking macro (IS_ERR_OR_NULL()) to be an error pointer, yet the code subsequently dereferences it without first setting it to NULL. The Smatch static analyzer identified this logic flaw: when an error condition is met, isp->psys contains an error code wrapped in a pointer (via ERR_PTR()), and dereferencing it triggers undefined behavior. The fix requires initializing isp->psys to NULL before the error cleanup branch (out_ipu6_bus_del_devices) executes.
Business impact
This vulnerability enables a local attacker with standard user privileges to crash a system running an affected kernel version. The impact is availability-focused: no confidentiality or integrity compromise occurs, but a denial-of-service condition can disrupt services relying on system stability. Systems using Intel IPU6 hardware (integrated in certain mobile and embedded platforms) are at risk; desktop and server deployments without this media hardware are unaffected. Repeated crashes could impede incident response or maintenance operations.
Affected systems
Linux kernel systems with the Intel IPU6 driver (ipu6/ipu6.c) compiled and loaded. This primarily affects platforms with Intel Image Processing Unit 6 hardware, typically found in certain mobile SoCs and select embedded/laptop configurations. Check your kernel configuration for CONFIG_INTEL_IPU6 or equivalent to determine exposure. The vulnerability requires the driver to be both built and active; it is not exploitable if the IPU6 driver is not loaded or if hardware is absent.
Exploitability
Exploitability is relatively straightforward for a local attacker. The CVSS vector (AV:L/AC:L/PR:L/UI:N) indicates local access and low attack complexity. An unprivileged user can trigger the ipu6_pci_probe() error path by inducing device initialization failures (e.g., via driver reload, hotplug simulation, or resource contention), causing the kernel to dereference the invalid pointer and crash. No user interaction is required beyond basic system access. However, exploitation is limited to denial-of-service; privilege escalation or code execution is not possible through this flaw.
Remediation
Apply a kernel update that includes the fix: isp->psys must be set to NULL immediately before the out_ipu6_bus_del_devices error-handling label, ensuring that the pointer dereference check (IS_ERR_OR_NULL()) succeeds in preventing the invalid dereference. Verify the exact patched kernel version against your distribution's security advisory, as version numbers vary by vendor. Alternatively, disable the IPU6 driver (CONFIG_INTEL_IPU6=n) if the hardware is not required, though this is typically not practical for systems that depend on it.
Patch guidance
Consult your Linux distribution's security advisory for the specific kernel version containing this fix. Red Hat, Ubuntu, Debian, and other major distributions will release updates with assigned tracking IDs. Apply kernel updates via your standard package management tool (apt, yum, dnf, etc.) and reboot. Verify the fix by confirming the kernel version post-update matches or exceeds the patched release. For systems on long-term support kernels (e.g., Linux LTS), check your vendor's LTS maintenance schedule; some distributions backport fixes to older supported versions. If you maintain a custom kernel, apply the patch directly from the Linux kernel repository or your vendor's advisory.
Detection guidance
Monitor kernel logs for crashes or oops messages originating from the ipu6 driver, particularly during device initialization or hotplug events. Search logs for 'ipu6' and 'error' keywords. Crash dumps mentioning ipu6.c:690 or ipu6_pci_probe() are indicative. System uptime monitoring may reveal unexpected reboots or denials of service. Vulnerability scanning tools that check kernel version and enabled drivers can identify systems running affected code, but this is a logic flaw unlikely to be detected without source analysis. Device unplugging or insertion of IPU6 hardware, if simulated in a controlled test environment, may trigger the error path and help validate whether the system is vulnerable before patching.
Why prioritize this
This vulnerability merits prompt but not emergency patching. While the CVSS score of 5.5 (MEDIUM) is moderate, the practical impact is contained: only systems with Intel IPU6 hardware are affected, and only local users can exploit it. There is no evidence of active exploitation in the wild (KEV not listed), no privilege escalation vector, and no data breach risk. However, organizations relying on IPU6-dependent services (e.g., mobile device management platforms, embedded vision systems) should prioritize patching to maintain availability. Standard patch-management cadences (monthly or quarterly updates) are appropriate unless the system is critical and frequently subject to local-user access.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects: Attack Vector: Local (user must have system access), Attack Complexity: Low (no special conditions needed), Privileges Required: Low (standard user suffices), User Interaction: None (automated trigger), Scope: Unchanged (affects only the vulnerable component), Confidentiality/Integrity: None (no data exposure or corruption), Availability: High (kernel crash). The score is tempered by the requirement for local access and the narrow hardware scope, but elevated due to the ease of triggering and the availability impact.
Frequently asked questions
Does this vulnerability affect servers without Intel IPU6 hardware?
No. The vulnerability is specific to the ipu6 driver, which is only present on systems with Intel Image Processing Unit 6 hardware. Typical servers, desktops, and laptops without this hardware are not affected, even if running the same kernel version. Check your hardware specification or kernel configuration (CONFIG_INTEL_IPU6) to confirm exposure.
Can this vulnerability lead to privilege escalation or code execution?
No. This is a denial-of-service vulnerability only. The error pointer dereference causes a kernel crash but does not allow an attacker to execute arbitrary code or gain elevated privileges. The impact is limited to system unavailability.
Is a reboot required to patch this vulnerability?
Yes. Kernel patches require a system reboot to take effect. Most organizations schedule kernel updates during maintenance windows and reboot accordingly. Some live-patching solutions (e.g., kpatch, livepatch) may be able to address this without reboot, but availability depends on your distribution and kernel configuration.
What is the difference between an error pointer and a NULL pointer in the Linux kernel?
In the kernel, an error pointer is a special encoding that wraps an error code (e.g., -ENOMEM) into a pointer value using ERR_PTR(), allowing functions to return an error and a pointer in a single return value. A NULL pointer indicates no valid object. The is_err() and IS_ERR_OR_NULL() macros distinguish between them. Dereferencing an error pointer (as if it were a valid pointer) causes a crash, whereas dereferencing NULL is also unsafe but caught by many kernel sanity checks.
This analysis is based on official CVE data and Linux kernel advisory information current as of the publication date. Specific kernel versions affected and patch availability vary by Linux distribution; consult your vendor's security advisory for precise remediation guidance. No exploit code or proof-of-concept is provided. Patch version numbers, release dates, and additional vendor-specific details should be verified directly against Red Hat, Ubuntu, Debian, and other official channels. This information is provided for educational and risk-management purposes and does not constitute professional security advice. Organizations should assess their own exposure and apply patches in accordance with their change-management procedures. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference