VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 3, 2026· Updated Apr 7, 2026

CVE-2026-23467

CVE-2026-23467

Description

In the Linux kernel, the following vulnerability has been resolved:

drm/i915/dmc: Fix an unlikely NULL pointer deference at probe

intel_dmc_update_dc6_allowed_count() oopses when DMC hasn't been initialized, and dmc is thus NULL.

That would be the case when the call path is intel_power_domains_init_hw() -> {skl,bxt,icl}_display_core_init() -> gen9_set_dc_state() -> intel_dmc_update_dc6_allowed_count(), as intel_power_domains_init_hw() is called *before* intel_dmc_init().

However, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count() conditionally, depending on the current and target DC states. At probe, the target is disabled, but if DC6 is enabled, the function is called, and an oops follows. Apparently it's quite unlikely that DC6 is enabled at probe, as we haven't seen this failure mode before.

It is also strange to have DC6 enabled at boot, since that would require the DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and the driver stopping / reprogramming the firmware is a poorly specified sequence and as such unlikely an intentional BIOS behaviour. It's more likely that BIOS is leaving an unintentionally enabled DC6 HW state behind (without actually loading the required DMC firmware for this).

The tracking of the DC6 allowed counter only works if starting / stopping the counter depends on the _SW_ DC6 state vs. the current _HW_ DC6 state (since stopping the counter requires the DC5 counter captured when the counter was started). Thus, using the HW DC6 state is incorrect and it also leads to the above oops. Fix both issues by using the SW DC6 state for the tracking.

This is v2 of the fix originally sent by Jani, updated based on the first Link: discussion below.

(cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in the Linux kernel's i915 DMC driver can cause a crash during probe if DC6 is enabled before DMC initialization.

Vulnerability

In the Linux kernel's drm/i915 driver, a NULL pointer dereference vulnerability exists in the intel_dmc_update_dc6_allowed_count() function. This occurs because the function is called during hardware initialization, specifically in gen9_set_dc_state(), before the DMC (Display Microcontroller (DMC) has been initialized. At that point, the dmc pointer is still NULL, leading to a kernel oops when the function attempts to dereference it [1].

Exploitation

The vulnerability is triggered during the probe sequence: intel_power_domains_init_hw() calls gen9_set_dc_state(), which conditionally invokes intel_dmc_update_dc6_allowed_count() if the target DC state is DC6. While it is uncommon for DC6 to be enabled at boot (as it typically requires the BIOS to load DMC firmware), the scenario that is poorly specified and unlikely intentional), the condition can occur if the BIOS leaves an unintentionally enabled DC6 hardware state without loading the required firmware. No special privileges or user interaction are needed; the flaw manifests during normal driver initialization [1].

Impact

An attacker with local access or the ability to trigger a system boot could cause a denial-of-service (DoS) by crashing the kernel during the i915 driver probe. The oops prevents the display driver from initializing, potentially rendering the system unusable or requiring a reboot. The vulnerability does not allow arbitrary code execution or privilege escalation [1].

Mitigation

The fix, included in the Linux kernel stable updates, addresses both the NULL pointer dereference and an additional logic error where the hardware DC6 state was incorrectly used instead of the software DC6 state for tracking the DC6 allowed counter. The patch is available in commits such as 0b35d11fbbcf and ac57eb3b7d2a [1][2][3]. Users should apply the latest kernel updates from their distribution to remediate this issue.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.