VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45877

CVE-2026-45877

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NULL pointer dereference in ishtp_bus_remove_all_clients in Intel ISH HID driver during warm reset can cause kernel panic.

Vulnerability

A NULL pointer dereference vulnerability exists in the ishtp_bus_remove_all_clients function of the Intel Integrated Sensor Hub (ISH) HID driver in the Linux kernel. During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. The issue affects various kernel versions prior to the commit feb4bcfd405282de60aba321f13a1272b30c5af4 [1].

Exploitation

An attacker must be able to trigger a warm reset of the Intel ISH controller while client enumeration is in progress. This could occur during normal system operation under stress conditions, such as multi-unit warm reboot cycles. The specific sequence involves the reset handler calling ishtp_bus_remove_all_clients, which dereferences the NULL pointer. No special privileges or user interaction are required beyond the ability to initiate a warm reset.

Impact

Successful exploitation results in a NULL pointer dereference, causing a kernel panic and immediate denial of service (DoS). The system becomes unavailable until reboot. No privilege escalation or information disclosure is indicated.

Mitigation

The fix is included in Linux kernel commit feb4bcfd405282de60aba321f13a1272b30c5af4 [1]. Users should apply patches from their distribution's kernel updates. No workaround is available if the system cannot be updated.

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

8
272dac57caa9

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRyan LinJan 30, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
56f7db581ee7

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRyan LinJan 30, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
0b605e8ce606

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRyan LinJan 30, 2026Fixed in 6.12.75via kernel-cna
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index fddc1c4b6cedb5..03c68fe40925ba 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
feb4bcfd4052

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitRyan LinJan 30, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
feb4bcfd4052

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRyan LinJan 30, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
272dac57caa9

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRyan LinJan 30, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
0b605e8ce606

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRyan LinJan 30, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index fddc1c4b6cedb5..03c68fe40925ba 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg
56f7db581ee7

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitRyan LinJan 30, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/hid/intel-ish-hid/ishtp/bus.c+1 2 modified
    diff --git a/drivers/hid/intel-ish-hid/ishtp/bus.c b/drivers/hid/intel-ish-hid/ishtp/bus.c
index c3915f3a060ead..b890fbf97a75cd 100644
--- a/drivers/hid/intel-ish-hid/ishtp/bus.c
+++ b/drivers/hid/intel-ish-hid/ishtp/bus.c
@@ -730,7 +730,7 @@ void ishtp_bus_remove_all_clients(struct ishtp_device *ishtp_dev,
 	spin_lock_irqsave(&ishtp_dev->cl_list_lock, flags);
 	list_for_each_entry(cl, &ishtp_dev->cl_list, link) {
 		cl->state = ISHTP_CL_DISCONNECTED;
-		if (warm_reset && cl->device->reference_count)
+		if (warm_reset && cl->device && cl->device->reference_count)
 			continue;
 
 		/*
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing NULL pointer check on cl->device before dereferencing cl->device->reference_count in ishtp_bus_remove_all_clients."

Attack vector

An attacker capable of triggering a warm reset on the Intel Integrated Sensor Hub (ISH) while clients are still being enumerated can cause a NULL-pointer dereference. The reset flow calls `ishtp_bus_remove_all_clients`, which iterates the client list and accesses `cl->device->reference_count` without checking whether `cl->device` is NULL [patch_id=2661779]. This leads to a kernel panic (KASAN null-ptr-deref) as shown in the call trace: `ishtp_bus_remove_all_clients` → `ishtp_reset_handler` → `fw_reset_work_fn`. The precondition is a race window during client enumeration concurrent with a warm reset.

Affected code

The vulnerable code is in `drivers/hid/intel-ish-hid/ishtp/bus.c` in the function `ishtp_bus_remove_all_clients`. The fault is on the line `if (warm_reset && cl->device->reference_count)` which dereferences `cl->device` without a NULL check [patch_id=2661779].

What the fix does

The patch adds a defensive NULL check for `cl->device` before accessing `cl->device->reference_count`. The original code `if (warm_reset && cl->device->reference_count)` is changed to `if (warm_reset && cl->device && cl->device->reference_count)` [patch_id=2661779]. This ensures that if `cl->device` is NULL (because a reset occurred while clients were still being enumerated), the condition short-circuits and no dereference occurs, preventing the kernel panic.

Preconditions

  • inputA warm reset must be triggered on the Intel ISH device while client enumeration is still in progress
  • inputThe attacker must be able to initiate or influence the warm reset flow (e.g., via multi-unit warm reboot stress cycles)

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.