VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46258

CVE-2026-46258

Description

Linux kernel's gpio:cdev module has a NULL dereference vulnerability in linehandle_create() that can lead to a crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel's gpio:cdev module has a NULL dereference vulnerability in linehandle_create() that can lead to a crash.

Vulnerability

The Linux kernel's gpio:cdev module contains a NULL dereference vulnerability within the linehandle_create() function. A specific code path dereferences a pointer lh after it has been intentionally nullified, leading to a system crash. This issue affects versions prior to the fix committed on June 3, 2026 [1].

Exploitation

An attacker would need to trigger the linehandle_create() function in a specific way that leads to the retain_and_null_ptr(lh) call being executed, followed by the subsequent debug printout that dereferences the now-NULL lh pointer. This would likely require specific kernel module loading or interaction with the GPIO character device interface under certain conditions.

Impact

Successful exploitation of this vulnerability results in a kernel crash, leading to a denial of service for the affected system. The attacker gains no further privileges or access beyond causing the system to become unresponsive.

Mitigation

The vulnerability has been resolved in the Linux kernel. The fix involves ensuring that the lh pointer is not dereferenced after being nullified, by using handlereq.lines instead. The specific commit ID for the fix is 6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e [1]. Users should update to a kernel version containing this fix.

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

4
87b9d7a4cfbe

gpio: cdev: Avoid NULL dereference in linehandle_create()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDouglas AndersonFeb 15, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpio/gpiolib-cdev.c+1 2 modified
    diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2adc3c0709082..189127721e383 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -388,7 +388,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 	fd_publish(fdf);
 
 	dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
-		lh->num_descs);
+		handlereq.lines);
 
 	return 0;
 }
-- 
cgit 1.3-korg
6af6be278e3b

gpio: cdev: Avoid NULL dereference in linehandle_create()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitDouglas AndersonFeb 15, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/gpio/gpiolib-cdev.c+1 2 modified
    diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2adc3c0709082..189127721e383 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -388,7 +388,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 	fd_publish(fdf);
 
 	dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
-		lh->num_descs);
+		handlereq.lines);
 
 	return 0;
 }
-- 
cgit 1.3-korg
87b9d7a4cfbe

gpio: cdev: Avoid NULL dereference in linehandle_create()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDouglas AndersonFeb 15, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpio/gpiolib-cdev.c+1 2 modified
    diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2adc3c0709082..189127721e383 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -388,7 +388,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 	fd_publish(fdf);
 
 	dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
-		lh->num_descs);
+		handlereq.lines);
 
 	return 0;
 }
-- 
cgit 1.3-korg
6af6be278e3b

gpio: cdev: Avoid NULL dereference in linehandle_create()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitDouglas AndersonFeb 15, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/gpio/gpiolib-cdev.c+1 2 modified
    diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2adc3c0709082..189127721e383 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -388,7 +388,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 	fd_publish(fdf);
 
 	dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
-		lh->num_descs);
+		handlereq.lines);
 
 	return 0;
 }
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"A debug print statement dereferences a pointer after it has been nullified."

Attack vector

An attacker can trigger this vulnerability by calling the `linehandle_create()` function within the Linux kernel's GPIO character device driver. This function is responsible for creating a handle for GPIO lines. The vulnerability occurs during the setup process for this handle.

Affected code

The vulnerability exists in the `linehandle_create()` function within the file `drivers/gpio/gpiolib-cdev.c`. Specifically, the issue lies in a debug print statement that incorrectly dereferences the `lh` pointer after it has been intentionally nullified.

What the fix does

The patch modifies the `linehandle_create()` function in `drivers/gpio/gpiolib-cdev.c` [patch_id=4686651]. Previously, a debug print statement dereferenced the `lh` pointer after it was nullified by `retain_and_null_ptr(lh)`. The fix replaces `lh->num_descs` with `handlereq.lines` in the debug print statement, which holds the same value but is not nullified. This prevents the NULL dereference and subsequent crash.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1