PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43401 Linux CVE debrief

CVE-2026-43401 is a Linux kernel availability issue in cpufreq: intel_pstate. On systems booted with the nosmt parameter, update_cpu_qos_request() could dereference a NULL cpudata pointer before validating policy and driver state, leading to a NULL pointer dereference when qos requests are updated. The NVD record rates the impact as medium severity with high availability impact, and the affected ranges include Linux kernel 6.18 through before 6.18.19, 6.19 through before 6.19.9, and 7.0-rc1. Kernel stable patches are referenced for remediation.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators running affected kernel versions on Intel systems should pay attention, especially where nosmt is enabled. Systems that rely on intel_pstate and may issue QoS updates are the most directly exposed to this local availability problem.

Technical summary

The vulnerable path is update_cpu_qos_request() in intel_pstate. The function was initializing the freq variable by dereferencing cpudata before confirming that policy and driver_data were valid. On nosmt systems, all_cpu_data[cpu] can be NULL for SMT sibling threads, so update_qos_requests() may hit a NULL pointer dereference when accessing pstate.turbo_freq through a NULL cpudata pointer. The described fix defers the freq assignment until after policy and driver_data validation, and after intel_pstate_get_hwp_cap() has run, because that call may update pstate.turbo_freq.

Defensive priority

Medium-high for environments that run affected Linux kernel builds on Intel hardware, particularly where nosmt is used. The issue is a local denial-of-service condition rather than a confidentiality or integrity problem, but it can still interrupt service on impacted systems.

Recommended defensive actions

  • Upgrade to a kernel release that includes the fix from the referenced stable patches.
  • Prioritize remediation on hosts running Intel pstate with nosmt enabled or workloads that trigger QoS request updates.
  • Verify whether deployed kernels fall within the affected ranges identified by NVD: 6.18 to before 6.18.19, 6.19 to before 6.19.9, or 7.0-rc1.
  • Monitor kernel vendor advisories and stable backport status for your distribution before and after upgrading.
  • If immediate upgrading is not possible, reduce exposure by limiting affected host configurations where practical and by scheduling maintenance on the impacted systems.

Evidence notes

This debrief is based on the CVE description, the NVD analyzed record, and the referenced kernel patch links. The source text explicitly states the NULL pointer dereference in update_cpu_qos_request(), the nosmt-related condition involving all_cpu_data being NULL, and the fix of deferring freq assignment until after validation. NVD lists CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-476. The NVD affected criteria specify Linux kernel 6.18 through before 6.18.19, 6.19 through before 6.19.9, and 7.0-rc1.

Official resources

CVE published: 2026-05-08T15:16:51.543Z. CVE modified: 2026-05-21T19:26:06.597Z. NVD marked the issue analyzed and listed fix references on 2026-05-21. Timing in this debrief follows the CVE publication date provided in the source corpus.