CVE-2026-45874 Linux CVE debrief

Who should care

Organizations running Linux on NXP i.MX8QM-based embedded systems, particularly those with custom or incomplete device tree configurations. Kernel maintainers and embedded Linux developers working with Freescale/NXP PHY drivers.

Technical summary

The Freescale i.MX8QM HSIO PHY driver (drivers/phy/freescale/phy-fsl-imx8qm-hsio.c) contains a NULL pointer dereference vulnerability. During probe, if the 'fsl,refclk-pad-mode' device tree property is not defined, the refclk_pad pointer is set to NULL. The imx_hsio_configure_clk_pad() function then uses this pointer unconditionally without NULL checking, resulting in a dereference of a NULL pointer. The fix adds a conditional check before using refclk_pad to prevent the crash.

Defensive priority

medium

Recommended defensive actions

• Review device tree configurations for i.MX8QM-based systems to verify presence of 'fsl,refclk-pad-mode' property
• Apply kernel updates containing the referenced stable commits to affected systems
• Monitor kernel logs for NULL pointer dereference errors in the imx8qm-hsio-phy driver during boot
• Validate PHY driver probe behavior on systems where the device tree property may be omitted

Evidence notes

The vulnerability description is sourced from the official CVE record published on 2026-05-27. The fix involves adding a NULL check for the refclk_pad pointer in imx_hsio_configure_clk_pad() before dereferencing it. Multiple stable kernel commits are referenced, indicating backports to affected kernel versions.

Official resources