VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46284

CVE-2026-46284

Description

Linux kernel bug allows early boot crash if hugepage parameters lack an equals sign.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel bug allows early boot crash if hugepage parameters lack an equals sign.

Vulnerability

In the Linux kernel, the mm/hugetlb subsystem is vulnerable if the kernel command line parameters hugepages, hugepagesz, or default_hugepagesz are specified without an equals sign (=). This causes hugetlb_add_param() to receive a NULL value, which is then dereferenced by strlen(), leading to a system crash during early boot. This issue affects versions prior to the fix [1].

Exploitation

An attacker with the ability to influence the kernel command line parameters during early boot can trigger this vulnerability. This typically requires physical access or a bootloader compromise. The attacker would need to boot the system with a command line argument like hugepages=, hugepagesz=, or default_hugepagesz= without a value following the equals sign.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, causing the system to crash during the early boot process. This prevents the operating system from starting up correctly, rendering the system unusable.

Mitigation

The vulnerability has been resolved in the Linux kernel. The fix involves rejecting NULL values in hugetlb_add_param() and returning an error code. The specific fixed version and release date are not detailed in the provided references, but the patch is available via the provided git link [1]. No workarounds are described, and the system is considered vulnerable until patched.

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

6
2774bcf71473

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumFixed in 6.18.27via kernel-cna
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 13293976e0568..ba563307278db 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4787,6 +4787,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg
357c6d084b61

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumFixed in 7.0.4via kernel-cna
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 327eaa4074d39..9fda39132d26c 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4252,6 +4252,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg
c45b354911d0

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitThorsten BlumFixed in 7.1-rc1via kernel-cna
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 88009cd2a846c..e8024574a2d4b 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4226,6 +4226,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg
357c6d084b61

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten Blumvia nvd-ref
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 327eaa4074d39..9fda39132d26c 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4252,6 +4252,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg
2774bcf71473

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten Blumvia nvd-ref
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 13293976e0568..ba563307278db 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4787,6 +4787,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg
c45b354911d0

mm/hugetlb: fix early boot crash on parameters without '=' separator

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitThorsten Blumvia nvd-ref
commit
1 file changed · +3 1
  • mm/hugetlb.c+3 1 modified
    diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 88009cd2a846c..e8024574a2d4b 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4226,6 +4226,9 @@ static __init int hugetlb_add_param(char *s, int (*setup)(char *))
 	size_t len;
 	char *p;
 
+	if (!s)
+		return -EINVAL;
+
 	if (hugetlb_param_index >= HUGE_MAX_CMDLINE_ARGS)
 		return -EINVAL;
 
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The kernel command line parameter parsing mishandles parameters without an '=' separator, passing NULL to a function that dereferences it."

Attack vector

An attacker can trigger this vulnerability by providing kernel command line arguments for hugepages, hugepagesz, or default_hugepagesz without the '=' separator. For example, specifying `hugepages=1M` instead of `hugepages=1M`. This malformed input causes the early parameter parsing to pass a NULL pointer to the `hugetlb_add_param` function. The subsequent dereferencing of this NULL pointer in `strlen` leads to a system crash during early boot [patch_id=5239470].

Affected code

The vulnerability resides in the `hugetlb_add_param` function within the `mm/hugetlb.c` file. Specifically, the issue occurs when this function is called with a NULL argument `s` due to incorrect parsing of kernel command line parameters that lack an '=' separator. The patch modifies this function to add a NULL check for `s`.

What the fix does

The patch introduces a check at the beginning of the `hugetlb_add_param` function to verify if the input string `s` is NULL. If `s` is NULL, the function now returns -EINVAL, preventing the NULL pointer dereference. This change ensures that malformed kernel command line parameters do not cause a system crash during early boot [patch_id=5239470].

Preconditions

  • inputKernel command line parameters for hugepages, hugepagesz, or default_hugepagesz are specified without an '=' separator.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.