VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-45982

CVE-2026-45982

Description

In the Linux kernel, the following vulnerability has been resolved:

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

Cover a missed execution path with a new check.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in acpi_ev_address_space_dispatch() of the Linux kernel's ACPICA may be exploited to cause a denial of service.

Vulnerability

A NULL pointer dereference vulnerability exists in the acpi_ev_address_space_dispatch() function within the Linux kernel's ACPI Component Architecture (ACPICA) subsystem. The issue arises from an unhandled execution path that results in a NULL pointer being dereferenced. The affected versions include Linux kernel versions prior to the fix introduced in commit [1]. Specific version ranges are not publicly detailed.

Exploitation

Exploitation requires an attacker to trigger the specific ACPI control method or hardware event that reaches the missed execution path. This could be achieved through local access to the system, potentially via crafted ACPI tables or by interacting with ACPI-defined hardware interfaces. User interaction or specific system configuration may be necessary.

Impact

Successful exploitation leads to a kernel NULL pointer dereference, which typically results in a system crash (denial of service). In some configurations, it might be leveraged for code execution, though the public disclosure does not confirm this.

Mitigation

The vulnerability is fixed in the Linux stable kernel tree via commit [1]. Users should apply the patch or update to a kernel version containing this commit. No workaround is available if the patch cannot be applied.

References
  1. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

12
cce354524da4

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 6.12.75via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index cf53b9535f18e0..7788c27ccf4610 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
b24595b86920

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
56024dbe8c76

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
f2cf475d23b8

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 6.6.128via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index cf53b9535f18e0..7788c27ccf4610 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
7d99cbe717c1

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 6.1.165via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index b96b3a7e78e50a..fd6471e764f1a1 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -162,7 +162,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
f851e03bce96

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitAlexey SimakovJan 14, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
cce354524da4

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index cf53b9535f18e0..7788c27ccf4610 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
f851e03bce96

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
56024dbe8c76

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
7d99cbe717c1

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index b96b3a7e78e50a..fd6471e764f1a1 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -162,7 +162,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
f2cf475d23b8

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index cf53b9535f18e0..7788c27ccf4610 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg
b24595b86920

ACPICA: Fix NULL pointer dereference in acpi_ev_address_space_dispatch()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitAlexey SimakovJan 14, 2026via nvd-ref
commit
1 file changed · +3 2
  • drivers/acpi/acpica/evregion.c+3 2 modified
    diff --git a/drivers/acpi/acpica/evregion.c b/drivers/acpi/acpica/evregion.c
index fa3475da7ea9b6..b6198f73c81dfa 100644
--- a/drivers/acpi/acpica/evregion.c
+++ b/drivers/acpi/acpica/evregion.c
@@ -163,7 +163,9 @@ acpi_ev_address_space_dispatch(union acpi_operand_object *region_obj,
 			return_ACPI_STATUS(AE_NOT_EXIST);
 		}
 
-		if (region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM) {
+		if (field_obj
+		    && region_obj->region.space_id ==
+		    ACPI_ADR_SPACE_PLATFORM_COMM) {
 			struct acpi_pcc_info *ctx =
 			    handler_desc->address_space.context;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Missing NULL pointer check on field_obj before dereferencing it in the PCC Opregion code path of acpi_ev_address_space_dispatch()."

Attack vector

An attacker who can trigger ACPI address space dispatch for a PCC Opregion without a valid `field_obj` can cause a NULL pointer dereference. The function `acpi_ev_address_space_dispatch()` previously checked `region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM` without verifying that `field_obj` is non-NULL, leading to a crash when `field_obj` is NULL. This can be triggered locally by crafting ACPI tables or AML that invoke dispatch on a PCC region without a corresponding field object.

Affected code

The vulnerability resides in `drivers/acpi/acpica/evregion.c` in the function `acpi_ev_address_space_dispatch()`. The code path that checks for `ACPI_ADR_SPACE_PLATFORM_COMM` (PCC Opregion) was missing a NULL check on `field_obj` before dereferencing it.

What the fix does

The patch adds a `field_obj` NULL check to the condition guarding the PCC Opregion special context handling. Before the fix, the code unconditionally checked `region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM` and then dereferenced `handler_desc->address_space.context` without ensuring `field_obj` was valid. The fix changes the condition to `if (field_obj && region_obj->region.space_id == ACPI_ADR_SPACE_PLATFORM_COMM)`, preventing the NULL pointer dereference on the missed execution path. This addresses the issue introduced by commit 0acf24ad7e10 ("ACPICA: Add support for PCC Opregion special context data") [patch_id=2660738].

Preconditions

  • configThe system must have ACPI support enabled and the kernel must process PCC Opregion address space dispatch.
  • inputAn attacker must be able to supply or trigger ACPI tables/AML that cause acpi_ev_address_space_dispatch() to be called for a PCC region with field_obj == NULL.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.