VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 3, 2026

CVE-2026-46269

CVE-2026-46269

Description

Linux kernel pinctrl driver for k230 has a NULL pointer dereference vulnerability during device tree parsing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel pinctrl driver for k230 has a NULL pointer dereference vulnerability during device tree parsing.

Vulnerability

The Linux kernel's pinctrl driver for the k230 platform contains a NULL pointer dereference vulnerability. This occurs during the device tree parsing phase within the k230_pinctrl_probe function, specifically when k230_pinctrl_parse_functions attempts to access info->pctl_dev->dev before info->pctl_dev has been properly initialized. This issue affects versions of the kernel where this code path is present.

Exploitation

An attacker with the ability to influence the device tree configuration loaded by the kernel could trigger this vulnerability. The exploit involves providing a device tree that leads to the k230_pinctrl_parse_dt() function being called in a state where info->pctl_dev is NULL, causing the subsequent dereference of info->pctl_dev->dev within k230_pinctrl_parse_functions().

Impact

Successful exploitation of this NULL pointer dereference would lead to a kernel crash, resulting in a denial of service. The specific impact is a system-wide crash, preventing normal operation.

Mitigation

This vulnerability has been resolved by using the already available device pointer from the platform device instead of accessing it through an uninitialized pctl_dev. The fix is available in the Linux kernel via commit 1d0d361f4dbc2bb2003594f84e4b101fc6b508c0 [1].

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
1d0d361f4dbc

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiayu DuDec 28, 2025Fixed in 6.19.4via kernel-cna
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg
3c7d637bfc3d

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiayu DuDec 28, 2025Fixed in 6.18.14via kernel-cna
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg
d8c128fb6c22

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitJiayu DuDec 28, 2025Fixed in 7.0via kernel-cna
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg
1d0d361f4dbc

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiayu DuDec 28, 2025via nvd-ref
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg
d8c128fb6c22

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiayu DuDec 28, 2025via nvd-ref
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg
3c7d637bfc3d

pinctrl: canaan: k230: Fix NULL pointer dereference when parsing devicetree

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitJiayu DuDec 28, 2025via nvd-ref
commit
1 file changed · +5 3
  • drivers/pinctrl/pinctrl-k230.c+5 3 modified
    diff --git a/drivers/pinctrl/pinctrl-k230.c b/drivers/pinctrl/pinctrl-k230.c
index d716f23d837f7..20f7c0f70eb77 100644
--- a/drivers/pinctrl/pinctrl-k230.c
+++ b/drivers/pinctrl/pinctrl-k230.c
@@ -65,6 +65,7 @@ struct k230_pmx_func {
 };
 
 struct k230_pinctrl {
+	struct device		*dev;
 	struct pinctrl_desc	pctl;
 	struct pinctrl_dev	*pctl_dev;
 	struct regmap		*regmap_base;
@@ -470,7 +471,7 @@ static int k230_pinctrl_parse_groups(struct device_node *np,
 				     struct k230_pinctrl *info,
 				     unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	const __be32 *list;
 	int size, i, ret;
 
@@ -511,7 +512,7 @@ static int k230_pinctrl_parse_functions(struct device_node *np,
 					struct k230_pinctrl *info,
 					unsigned int index)
 {
-	struct device *dev = info->pctl_dev->dev;
+	struct device *dev = info->dev;
 	struct k230_pmx_func *func;
 	struct k230_pin_group *grp;
 	static unsigned int idx, i;
@@ -596,6 +597,8 @@ static int k230_pinctrl_probe(struct platform_device *pdev)
 	if (!info)
 		return -ENOMEM;
 
+	info->dev = dev;
+
 	pctl = &info->pctl;
 
 	pctl->name	= "k230-pinctrl";
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The k230 pinctrl driver attempts to dereference an uninitialized device pointer during devicetree parsing."

Attack vector

When the k230 pinctrl driver is probed, the kernel attempts to access a device pointer via `info->pctl_dev->dev`. However, `info->pctl_dev` is not yet initialized at this stage of the devicetree parsing process. This leads to a NULL pointer dereference, causing a kernel crash [patch_id=4686542].

Affected code

The vulnerability exists in the `drivers/pinctrl/pinctrl-k230.c` file. Specifically, the `k230_pinctrl_probe` function initializes the `info->dev` pointer. The functions `k230_pinctrl_parse_groups` and `k230_pinctrl_parse_functions` were incorrectly attempting to access the device pointer through `info->pctl_dev->dev`, which could be NULL.

What the fix does

The patch introduces a new member `dev` to the `struct k230_pinctrl` and initializes it with the `platform_device`'s device pointer during the probe function. Subsequently, the `k230_pinctrl_parse_groups` and `k230_pinctrl_parse_functions` functions now use this correctly initialized `info->dev` pointer instead of the uninitialized `info->pctl_dev->dev`. This resolves the NULL pointer dereference by ensuring the device pointer is valid when accessed [patch_id=4686542].

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

1