PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46284 Linux CVE debrief

CVE-2026-46284 is a vulnerability in the Linux kernel that can cause an early boot crash when hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator. This is due to early parameter parsing passing NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. The vulnerability has been resolved by rejecting NULL values in hugetlb_add_param() and returning -EINVAL instead.

Vendor
Linux
Product
Unknown
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-08
Original CVE updated
2026-06-08
Advisory published
2026-06-08
Advisory updated
2026-06-08

Who should care

Users of the Linux kernel who pass hugepages, hugepagesz, or default_hugepagesz on the kernel command line should be aware of this vulnerability.

Technical summary

The Linux kernel vulnerability (CVE-2026-46284) occurs when hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator. Early parameter parsing passes NULL to hugetlb_add_param(), which can cause a system crash during early boot. The fix involves rejecting NULL values in hugetlb_add_param() and returning -EINVAL.

Defensive priority

medium

Recommended defensive actions

  • Apply the kernel patch that rejects NULL values in hugetlb_add_param() and returns -EINVAL.
  • Ensure that hugepages, hugepagesz, or default_hugepagesz are specified with the '=' separator on the kernel command line.

Evidence notes

The CVE was published on 2026-06-08T17:16:46.193Z and has not been modified since then. The vulnerability has been resolved in the Linux kernel.

Official resources

CVE-2026-46284 was published on 2026-06-08T17:16:46.193Z.