CVE-2026-45877 Linux CVE debrief

Who should care

Linux system administrators running kernels with Intel ISH support; embedded/IoT device manufacturers using Intel sensor hub technology; organizations performing automated firmware updates on Linux-based Intel systems

Technical summary

The Intel ISH (Integrated Sensor Hub) HID driver in the Linux kernel contains a NULL pointer dereference in `ishtp_bus_remove_all_clients()`. When a warm reset occurs during client enumeration, `cl->device` may be NULL. The function dereferences this pointer to access `reference_count` without validation, causing a kernel panic. The vulnerability manifests through the `ish_fw_update_wq` workqueue during firmware reset operations. The fix introduces a NULL check before accessing `cl->device`.

Defensive priority

high

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Monitor system logs for KASAN null-ptr-deref reports in intel_ishtp module
• Review warm reset handling in ISH firmware update workflows
• Consider disabling ISH firmware updates during critical operational periods if feasible
• Validate kernel version against patched releases in git.kernel.org stable branches

Evidence notes

The vulnerability was identified during multi-unit warm reboot stress cycles. KASAN detected a null-ptr-deref in range [0x0-0x7]. The call trace shows: ishtp_bus_remove_all_clients → ishtp_reset_handler → fw_reset_work_fn. The fix adds a defensive NULL check for cl->device before dereferencing.

Official resources