Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46313

Description

Linux kernel's Intel IPU6 driver has an error pointer dereference vulnerability in its probe function, potentially leading to a crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel's Intel IPU6 driver has an error pointer dereference vulnerability in its probe function, potentially leading to a crash.

Vulnerability

In the Linux kernel, the ipu6_pci_probe function within the drivers/media/pci/intel/ipu6/ipu6.c file has an error pointer dereference vulnerability. In an error path, isp->psys is confirmed to be an error pointer but not NULL, leading to its dereferencing before being set to NULL. This affects versions of the Linux kernel where this code path exists.

Exploitation

An attacker would need to trigger the error path during the probing of the IPU6 device. This typically requires physical access or specific driver loading conditions to manipulate the system state such that the isp->psys pointer is an error pointer when checked. The exact conditions for triggering this error path are not detailed in the available references.

Impact

Successful exploitation of this vulnerability would result in a kernel crash due to the dereferencing of an invalid error pointer. This denial-of-service condition would make the affected system unstable or inaccessible.

Mitigation

This vulnerability has been resolved by setting isp->psys to NULL before calling out_ipu6_bus_del_devices in the error path. The fix is available in the Linux kernel via commit fad134c446189e9bb48cea1a5ca426d2889a9c71 [1]. Specific patched kernel versions and release dates are not detailed in the available references.

References

Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Google/Android SDKinferred
Linux/Kernelllm-fuzzy

Patches

fad134c44618

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEthan TidmoreFixed in 6.12.90via kernel-cna

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 5352219c019c9..40566b652b2de 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -685,7 +685,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

c352f90e093a

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEthan TidmoreFixed in 7.0.9via kernel-cna

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 34f67f4f1bb56..d033d46181692 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

f43e30646fc9

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEthan TidmoreFixed in 6.18.32via kernel-cna

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index a2768f44017a5..fab7783c664b9 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

8dd088b8b106

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitEthan TidmoreFixed in 7.1-rc1via kernel-cna

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 34f67f4f1bb56..d033d46181692 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

c352f90e093a

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEthan Tidmorevia nvd-ref

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 34f67f4f1bb56..d033d46181692 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

f43e30646fc9

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEthan Tidmorevia nvd-ref

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index a2768f44017a5..fab7783c664b9 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

fad134c44618

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEthan Tidmorevia nvd-ref

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 5352219c019c9..40566b652b2de 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -685,7 +685,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

8dd088b8b106

media: intel/ipu6: fix error pointer dereference

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitEthan Tidmorevia nvd-ref

commit

1 file changed · +1 −2

drivers/media/pci/intel/ipu6/ipu6.c+1 −2 modified

diff --git a/drivers/media/pci/intel/ipu6/ipu6.c b/drivers/media/pci/intel/ipu6/ipu6.c
index 34f67f4f1bb56..d033d46181692 100644
--- a/drivers/media/pci/intel/ipu6/ipu6.c
+++ b/drivers/media/pci/intel/ipu6/ipu6.c
@@ -686,7 +686,7 @@ out_free_irq:
 out_ipu6_rpm_put:
 	pm_runtime_put_sync(&isp->psys->auxdev.dev);
 out_ipu6_bus_del_devices:
-	if (isp->psys) {
+	if (!IS_ERR_OR_NULL(isp->psys)) {
 		ipu6_cpd_free_pkg_dir(isp->psys);
 		ipu6_buttress_unmap_fw_image(isp->psys, &isp->psys->fw_sgt);
 	}
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"The code dereferences an error pointer when handling an error path in the intel/ipu6 driver."

Attack vector

An attacker could trigger this vulnerability by causing an error during the probe of the IPU6 PCI device. This error condition leads to the dereferencing of an error pointer, specifically `isp->psys`, before it is properly handled. The vulnerability is present in the `ipu6_pci_probe` function within the `drivers/media/pci/intel/ipu6/ipu6.c` file [patch_id=5239702].

Affected code

The vulnerability exists in the `ipu6_pci_probe` function within the file `drivers/media/pci/intel/ipu6/ipu6.c`. Specifically, the error handling path at `out_ipu6_bus_del_devices` was found to dereference an error pointer `isp->psys` [patch_id=5239702].

What the fix does

The patch modifies the conditional check before calling `ipu6_cpd_free_pkg_dir` and `ipu6_buttress_unmap_fw_image` in the `out_ipu6_bus_del_devices` error handling path. Previously, it checked `if (isp->psys)`, which could be an error pointer. The fix changes this to `if (!IS_ERR_OR_NULL(isp->psys))`, ensuring that these functions are only called if `isp->psys` is a valid pointer and not an error code [patch_id=5239702]. This prevents the dereferencing of an error pointer.

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

Google Android SDK: 10 Linux Kernel Vulnerabilities Disclosed Together
Vypr Intelligence · Jun 8, 2026
Linux Kernel: 25 Vulnerabilities Disclosed in Single Batch on June 8, 2026
Vypr Intelligence · Jun 8, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000