CVE-2026-43356 Overview
CVE-2026-43356 is a NULL pointer dereference vulnerability in the Linux kernel's Industrial I/O (IIO) Inertial Measurement Unit (IMU) Analog Devices Inertial Sensor (ADIS) driver. The flaw resides in the adis_init() function, which dereferences adis->ops to check individual function pointers without first verifying that adis->ops itself is non-NULL. Drivers such as adis16480, adis16490, and adis16545 do not assign custom ops and rely on adis_init() to populate defaults, triggering a kernel crash during probe. Successful triggering causes a denial of service through kernel oops.
Critical Impact
A local low-privileged user loading or probing affected ADIS IMU drivers can trigger a kernel NULL pointer dereference, leading to denial of service through a kernel crash [CWE-476].
Affected Products
- Linux Kernel 7.0-rc1
- Linux Kernel 7.0-rc2
- Linux Kernel 7.0-rc3
Discovery Timeline
- 2026-05-08 - CVE-2026-43356 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43356
Vulnerability Analysis
The vulnerability exists in the adis_init() function within drivers/iio/imu/adis.c. The function attempts to validate caller-supplied operations by accessing adis->ops->write, adis->ops->read, and adis->ops->reset. The check assumes adis->ops is a valid pointer, but the calling driver may leave it unset.
Several ADIS-family drivers, including adis16480, adis16490, and adis16545, do not provide a custom ops structure. They depend on adis_init() substituting default operations. Because struct adis is zero-initialized through devm_iio_device_alloc(), the ops pointer is NULL when adis_init() runs.
Dereferencing the NULL pointer produces a kernel oops with the call trace adis_init+0xc0/0x118 invoked from adis16480_probe+0xe0/0x670. The result is a kernel-side denial of service affecting availability of the system using the driver.
Root Cause
The root cause is missing NULL validation on a structure pointer before member access. The defensive logic intended to fall back to default operations executes the fallback path only after dereferencing adis->ops, inverting the required order of checks [CWE-476].
Attack Vector
Exploitation requires local access and the ability to load or probe an affected ADIS IIO driver. The condition triggers automatically during device probe on systems with the affected hardware, or when a privileged user triggers driver loading. The impact is limited to availability — confidentiality and integrity are not affected.
No synthetic exploitation code is provided. Refer to the upstream commits in the vendor advisory references for the exact code path.
Detection Methods for CVE-2026-43356
Indicators of Compromise
- Kernel oops messages referencing adis_init+0xc0/0x118 in dmesg or /var/log/kern.log.
- Call traces showing adis16480_probe, adis16490_probe, or adis16545_probe immediately preceding the fault.
- Unexpected device probe failures or boot-time kernel panics on systems using Analog Devices ADIS IMU hardware.
Detection Strategies
- Inventory Linux hosts running kernel versions 7.0-rc1 through 7.0-rc3 and identify any using the iio_imu_adis module family.
- Monitor kernel ring buffer output for NULL pointer dereference at virtual address 0000000000000000 paired with the adis_init symbol.
- Correlate driver load events with subsequent kernel fault signatures in centralized logging.
Monitoring Recommendations
- Forward kmsg and journald kernel facility entries to a centralized SIEM for fault-signature alerting.
- Track modprobe and insmod events for adis* modules and flag those followed by kernel oops messages.
- Maintain crash dump collection (kdump) on systems running affected release-candidate kernels to capture forensic state if a panic occurs.
How to Mitigate CVE-2026-43356
Immediate Actions Required
- Upgrade the Linux kernel to a stable release containing the upstream fix referenced in the kernel.org commits.
- Avoid deploying release-candidate kernels (7.0-rc1 through 7.0-rc3) on production systems using Analog Devices ADIS IMU hardware.
- Blacklist the affected adis* modules on systems that do not require them until patches are applied.
Patch Information
The fix adds a NULL check on adis->ops before dereferencing the structure, allowing the function to fall through to default operation assignment when no custom ops are supplied. The patch is available in the following upstream commits: Kernel commit 1a48f94c, Kernel commit 9990cd4f, and Kernel commit ba19dd36.
Workarounds
- Prevent automatic loading of the affected drivers by adding blacklist adis16480, blacklist adis16490, and blacklist adis16545 to /etc/modprobe.d/.
- Restrict module loading privileges by setting kernel.modules_disabled=1 after boot on systems that do not require runtime module loading.
- Roll back to a stable kernel branch unaffected by the regression until the patch lands in your distribution.
# Blacklist affected ADIS IMU modules until patched kernel is deployed
echo "blacklist adis16480" | sudo tee /etc/modprobe.d/cve-2026-43356.conf
echo "blacklist adis16490" | sudo tee -a /etc/modprobe.d/cve-2026-43356.conf
echo "blacklist adis16545" | sudo tee -a /etc/modprobe.d/cve-2026-43356.conf
sudo update-initramfs -u
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
