PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46118 Linux CVE debrief

A null pointer dereference vulnerability in the Linux kernel's pseries/papr-hvpipe driver could allow local attackers to trigger a kernel panic. The flaw was introduced during a refactoring that converted `papr_hvpipe_dev_create_handle()` to use the `FD_PREPARE()` macro, which inadvertently caused `src_info` to be nullified before being reused for list operations. The vulnerability manifests as a kernel NULL pointer dereference on write when attempting to add `src_info` to the global list, resulting in system instability. The fix restructures the error handling to allocate and prepare `src_info` early, add it to the global list under spinlock protection after duplicate checking, and simplify cleanup paths. This affects IBM Power systems (pseries) utilizing the PAPR hypervisor pipe interface.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

System administrators managing IBM Power (pseries) Linux deployments, kernel maintainers for Power architecture distributions, security teams monitoring for local denial-of-service vectors in virtualized environments, and organizations running workloads on PowerVM or PowerKVM hypervisors utilizing PAPR hypervisor pipe interfaces.

Technical summary

The vulnerability exists in the papr-hvpipe driver for IBM Power systems, specifically in the `papr_hvpipe_dev_create_handle()` function. A refactoring to use the `FD_PREPARE()` macro introduced a logic error where `retain_and_null_ptr(src_info)` nullifies the `src_info` pointer, but subsequent code attempts to use this null pointer when adding to the global list. This results in a kernel NULL pointer dereference on write at address 0x00000000. The fix restructures the function to allocate and prepare `src_info` before any operations that could fail, adds it to the global list under spinlock protection only after confirming no duplicate exists, and simplifies error handling to remove from list and clear pending messages if file descriptor addition fails. The vulnerability is local-only, requiring access to the papr-hvpipe device, and results in denial of service through kernel panic rather than privilege escalation or information disclosure.

Defensive priority

high

Recommended defensive actions

  • Apply kernel patches from stable branches: 6.12.31, 6.14.8, 6.15-rc6 or later containing commits 1b9f7aafa44f, 735439394dde, or cf51bec1560f
  • Prioritize patching on IBM Power (pseries) systems utilizing PAPR hypervisor pipe (papr-hvpipe) interfaces
  • Monitor kernel logs for papr_hvpipe_dev_ioctl related oops or NULL pointer dereference signatures
  • Restrict local access to papr-hvpipe device nodes where untrusted user access is not required
  • Validate kernel version against affected ranges before deploying to production Power environments

Evidence notes

Vulnerability description confirms null pointer dereference in papr_hvpipe_dev_create_handle() introduced by commit 6d3789d347a7 during FD_PREPARE() conversion. Kernel panic trace shows fault at instruction address 0xc0000000001b44a0 with NULL pointer write. Fix commits restructure allocation and list insertion order to prevent use-after-nullify pattern.

Official resources

2026-05-28