CVE-2026-45978 Linux CVE debrief

Who should care

Linux kernel maintainers, embedded systems developers using Greybus hardware, Android device manufacturers with modular accessory support, and security teams tracking kernel staging driver vulnerabilities

Technical summary

The vulnerability is a classic initialization ordering bug in the Greybus lights driver (drivers/staging/greybus/lights.c). The function gb_lights_light_config() sets light->channels_count from protocol data before allocating light->channels. If kcalloc() fails, the error path calls gb_lights_release(), which uses channels_count in a loop to release channel resources, dereferencing the unallocated NULL pointer. The fix ensures atomicity of allocation and count publication: allocate first, then assign count only on success. This prevents the release function from observing inconsistent state.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available for your distribution
• Monitor vendor security advisories for kernel updates addressing CVE-2026-45978
• Review systems using Greybus hardware for staging driver exposure
• Prioritize patching on systems with untrusted physical access or modular kernel loading
• Validate kcalloc failure handling in custom kernel builds if maintaining out-of-tree Greybus drivers

Evidence notes

Vulnerability description and patch commits sourced from NVD and kernel.org stable trees. Multiple stable branch fixes identified.

Official resources