VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46261

CVE-2026-46261

Description

Linux kernel spi: wpcm-fiu driver has a NULL pointer dereference vulnerability in wpcm_fiu_probe() that can lead to a crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel spi: wpcm-fiu driver has a NULL pointer dereference vulnerability in wpcm_fiu_probe() that can lead to a crash.

Vulnerability

A NULL pointer dereference vulnerability exists in the wpcm_fiu_probe() function within the Linux kernel's spi: wpcm-fiu driver. This occurs when platform_get_resource_byname() returns NULL, and the resulting NULL pointer is subsequently passed to resource_size(), leading to a crash. The fix involves moving the assignment of fiu->memory_size after the error check for devm_ioremap_resource() to prevent this dereference.

Exploitation

An attacker would need to trigger the wpcm_fiu_probe() function, likely through specific hardware configurations or module loading sequences that lead to platform_get_resource_byname() returning NULL. The vulnerability is triggered by the subsequent attempt to dereference this NULL pointer when calculating resource size.

Impact

Successful exploitation of this vulnerability would result in a crash of the Linux kernel. This denial-of-service condition would make the affected system unavailable.

Mitigation

This vulnerability has been resolved in the Linux kernel. The specific fixed version and release date are not detailed in the available references, but the patch is available via the provided kernel git link [1]. There are no workarounds mentioned, and the vulnerability is not listed as being part of the KEV catalog.

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

10
888a0a802c46

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFelix GuFeb 12, 2026Fixed in 7.0via kernel-cna
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index 0e3ee55165871..0e26ff1785056 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
0f93a80eb3fd

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFelix GuFeb 12, 2026Fixed in 6.18.14via kernel-cna
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
9e5cb7e67fbd

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFelix GuFeb 12, 2026Fixed in 6.6.128via kernel-cna
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a67432a4bea21..c006889b37ebb 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
2c538a0b3472

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFelix GuFeb 12, 2026Fixed in 6.12.75via kernel-cna
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
cb9b2dc34a9e

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitFelix GuFeb 12, 2026Fixed in 6.19.4via kernel-cna
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
2c538a0b3472

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitFelix GuFeb 12, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
cb9b2dc34a9e

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitFelix GuFeb 12, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
0f93a80eb3fd

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitFelix GuFeb 12, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a9aee2a6c7dcb..c47b56f0933f1 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
888a0a802c46

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitFelix GuFeb 12, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index 0e3ee55165871..0e26ff1785056 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg
9e5cb7e67fbd

spi: wpcm-fiu: Fix potential NULL pointer dereference in wpcm_fiu_probe()

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitFelix GuFeb 12, 2026via nvd-ref
commit
1 file changed · +1 2
  • drivers/spi/spi-wpcm-fiu.c+1 2 modified
    diff --git a/drivers/spi/spi-wpcm-fiu.c b/drivers/spi/spi-wpcm-fiu.c
index a67432a4bea21..c006889b37ebb 100644
--- a/drivers/spi/spi-wpcm-fiu.c
+++ b/drivers/spi/spi-wpcm-fiu.c
@@ -459,11 +459,11 @@ static int wpcm_fiu_probe(struct platform_device *pdev)
 
 	res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "memory");
 	fiu->memory = devm_ioremap_resource(dev, res);
-	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	if (IS_ERR(fiu->memory))
 		return dev_err_probe(dev, PTR_ERR(fiu->memory),
 			       "Failed to map flash memory window\n");
 
+	fiu->memory_size = min_t(size_t, resource_size(res), MAX_MEMORY_SIZE_TOTAL);
 	fiu->shm_regmap = syscon_regmap_lookup_by_phandle_optional(dev->of_node, "nuvoton,shm");
 
 	wpcm_fiu_hw_init(fiu);
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"A NULL pointer dereference occurs when platform_get_resource_byname returns NULL and its result is passed to resource_size."

Attack vector

An attacker can trigger this vulnerability by exploiting a misconfiguration where the 'memory' resource is not properly defined for the wpcm-fiu device. This would cause platform_get_resource_byname to return NULL. Subsequently, passing this NULL pointer to resource_size within the wpcm_fiu_probe function leads to a crash.

Affected code

The vulnerability exists in the wpcm_fiu_probe() function within the file drivers/spi/spi-wpcm-fiu.c [patch_id=4686617]. Specifically, the issue arises from the order of operations involving platform_get_resource_byname() and devm_ioremap_resource().

What the fix does

The patch moves the assignment of fiu->memory_size to occur after the error check for devm_ioremap_resource [patch_id=4686617]. This ensures that resource_size is only called with a valid resource pointer, preventing the NULL pointer dereference that would have caused a crash. The change is located in drivers/spi/spi-wpcm-fiu.c.

Preconditions

  • configThe device must be configured with a 'memory' resource defined in its device tree.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

2