CVE-2026-45909 Linux CVE debrief

Who should care

Organizations running Linux on Mediatek SoCs (common in mobile devices, IoT, and embedded systems) should prioritize this patch to prevent system instability. Kernel maintainers and distributors should backport the fix to affected stable branches.

Technical summary

The Mediatek clock gate driver in the Linux kernel incorrectly retained `__initconst` annotations on `mtk_gate` structures after a refactoring (commit 8ceff24a754a) changed their usage from initialization-only to runtime. The `__initconst` section attribute instructs the kernel to discard the data after boot, causing subsequent runtime accesses to read freed/invalid memory. This can result in undefined behavior, system crashes, or potential security implications on Mediatek-based systems. The fix removes the `__initconst` annotations to ensure the structures persist for the lifetime of the kernel.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant stable kernel patch for your kernel version: 5.15.y, 6.1.y, or 6.6.y branches
• Rebuild and deploy updated kernel with patched Mediatek clock driver
• Verify `__initconst` is removed from `mtk_gate` definitions in `drivers/clk/mediatek/`
• For systems using Mediatek SoCs, prioritize patching to prevent potential system instability or crashes from invalid memory access to clock gate structures

Evidence notes

The CVE description explicitly states the vulnerability is resolved and identifies the root cause: `__initconst` annotations on `mtk_gate` structs that are now used at runtime following commit 8ceff24a754a. Three stable kernel patches are referenced.

Official resources