CVE-2026-43335 Overview
CVE-2026-43335 is a NULL pointer dereference vulnerability in the Linux kernel's Qualcomm SM8450 interconnect driver. The flaw resides in the icc_link_nodes() function within interconnect/qcom/sm8450. A change to dynamic IDs for SM8450 platform interconnects left two links unconverted, causing the kernel to dereference an invalid destination interconnect pointer at runtime. The result is a kernel panic with a fatal exception during driver probe. The issue is tracked under CWE-476 (NULL Pointer Dereference) and affects multiple Linux kernel 7.0 release candidate builds.
Critical Impact
Local triggering of the defect causes a kernel panic during interconnect driver probe, resulting in denial of service on affected SM8450-based Linux systems.
Affected Products
- Linux kernel (mainline, multiple commits prior to fix)
- Linux kernel 7.0-rc1 through 7.0-rc6
- Qualcomm SM8450 platform interconnect driver (drivers/interconnect/qcom/sm8450)
Discovery Timeline
- 2026-05-08 - CVE-2026-43335 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43335
Vulnerability Analysis
The vulnerability is a NULL pointer dereference triggered during probe of the Qualcomm SM8450 interconnect driver. The kernel call trace shows the failure occurring in icc_link_nodes+0x3c/0x100, called from qcom_icc_rpmh_probe+0x1b4/0x528, which is invoked through the platform driver probe path. The faulting access at virtual address 0x0000000000000008 indicates a structure field read against a NULL base pointer. The resulting kernel oops escalates to Kernel panic - not syncing: Oops: Fatal exception, halting the affected system.
Root Cause
A refactor migrated SM8450 platform interconnects to dynamic IDs. Two link entries in the interconnect topology were not converted as part of that change. When icc_link_nodes() walks the link table and attempts to resolve the destination interconnect node, the unconverted entries return an invalid (NULL) destination pointer. Dereferencing that pointer at offset 0x8 triggers the fault. The fix, applied in commits 77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 and dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3, converts the remaining link entries to use dynamic IDs.
Attack Vector
The vector is local. Exploitation requires the affected SM8450 interconnect driver to load on a vulnerable build, which occurs automatically during boot on matching hardware. There is no remote attack surface, and the impact is confined to availability. No confidentiality or integrity impact is associated with this flaw. No public exploit code, proof-of-concept, or in-the-wild exploitation has been reported.
The vulnerability does not require crafted attacker input. The faulty data resides in the driver's static link topology and triggers during normal probe. See the upstream commit for the corrected link table entries.
Detection Methods for CVE-2026-43335
Indicators of Compromise
- Kernel oops messages referencing icc_link_nodes+0x3c/0x100 and qcom_icc_rpmh_probe in dmesg or /var/log/kern.log.
- Fault address 0000000000000008 reported as an unhandled kernel NULL pointer dereference.
- Kernel panic - not syncing: Oops: Fatal exception on boot of SM8450-based devices.
Detection Strategies
- Inventory Linux kernel builds in use and flag any system running mainline 7.0-rc1 through 7.0-rc6 on Qualcomm SM8450 hardware.
- Parse boot logs for the icc_link_nodes call trace signature to identify devices that have already hit the bug.
- Track kernel package versions against the fixing commits 77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 and dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3.
Monitoring Recommendations
- Collect kernel ring buffer output from fleet devices and alert on NULL pointer dereference events tied to interconnect probe.
- Monitor for unexpected reboots or boot loops on SM8450 platforms, which can indicate the panic path is being hit.
- Aggregate crash telemetry from mobile and embedded SM8450 devices to identify clusters of affected builds.
How to Mitigate CVE-2026-43335
Immediate Actions Required
- Apply the upstream Linux kernel fix containing commits 77d22bf3fc5d1bcdee035979b07840c9c2ece8f2 and dbbd550d7c8d90d3af9fe8a12a9caff077ddb8e3.
- Update affected SM8450-based systems to a kernel build that includes the converted dynamic ID link entries.
- Restrict local access on multi-user systems running unpatched kernels until the fix is deployed.
Patch Information
The fix is available upstream in the Linux kernel stable tree. Reference the kernel commit 77d22bf3 and the kernel commit dbbd550d for the corrected icc_link_nodes() topology. Rebuild and redeploy kernels for SM8450 platforms, or pull updated stable kernel packages from your distribution.
Workarounds
- Boot an earlier stable kernel that predates the dynamic ID conversion regression on SM8450.
- Disable or unbind the qcom_icc_rpmh driver where the affected interconnect is not required, accepting reduced platform functionality.
- Pin kernel updates on SM8450 fleets to versions known to include the upstream fix before broad rollout.
# Verify the running kernel and check for the fix commits
uname -r
git -C /usr/src/linux log --oneline | grep -E '77d22bf3|dbbd550d'
# Inspect dmesg for the panic signature on affected hosts
dmesg | grep -E 'icc_link_nodes|qcom_icc_rpmh_probe'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
