CVE-2026-45874: Linux Kernel NULL Pointer Vulnerability

CVE-2026-45874 Overview

CVE-2026-45874 is a NULL pointer dereference vulnerability in the Linux kernel's Freescale imx8qm-hsio PHY driver. The flaw occurs during PHY clock pad configuration when the fsl,refclk-pad-mode device tree property is missing. In that case, the probe routine leaves the refclk_pad pointer set to NULL, but imx_hsio_configure_clk_pad() dereferences it unconditionally. The result is a kernel-mode NULL pointer dereference that can crash the affected subsystem or the kernel itself.

Critical Impact
Local triggering of the unchecked pointer dereference can cause a kernel oops or panic on i.MX8QM-based systems, leading to denial of service on the affected hardware platform.

Affected Products

Linux kernel branches containing the Freescale phy-fsl-imx8qm-hsio driver
NXP i.MX8QM-based platforms relying on the High-Speed I/O PHY driver
Downstream distributions shipping vulnerable stable kernel revisions prior to the referenced fix commits

Discovery Timeline

2026-05-27 - CVE-2026-45874 published to NVD
2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-45874

Vulnerability Analysis

The vulnerability resides in the Freescale i.MX8QM High-Speed I/O (HSIO) PHY driver located under drivers/phy/freescale/. The driver supports PCIe and SATA PHY initialization for NXP i.MX8QM SoCs and reads several device tree properties during probe to populate its internal state.

When the optional fsl,refclk-pad-mode property is absent from the device tree node, the probe path skips initialization of the refclk_pad pointer, leaving it as NULL. A later configuration routine, imx_hsio_configure_clk_pad(), accesses members through this pointer without first validating it. Dereferencing the NULL pointer in kernel context generates an oops and can halt the affected subsystem.

This class of defect is tracked as a NULL Pointer Dereference [CWE-476]. The fix adds an explicit NULL check before any use of refclk_pad inside imx_hsio_configure_clk_pad().

Root Cause

The root cause is an implicit assumption that all relevant device tree properties are present. The probe logic treats fsl,refclk-pad-mode as optional but its consumer treats the resulting pointer as mandatory. This mismatch between optional initialization and unconditional consumption produces the dereference.

Attack Vector

Triggering requires loading the vulnerable driver on hardware whose device tree omits fsl,refclk-pad-mode. Exploitation is therefore constrained to local conditions involving control over kernel configuration, device tree, or driver invocation on i.MX8QM platforms. The impact is denial of service rather than code execution or privilege escalation.

No verified public exploit code is available. For implementation specifics, see the upstream fixes: kernel.org commit 4dd5d4c0361a, kernel.org commit 8d29e81e9cde, kernel.org commit a771b386cb6c, and kernel.org commit dd8b9ba3d970.

Detection Methods for CVE-2026-45874

Indicators of Compromise

Kernel oops or panic messages referencing imx_hsio_configure_clk_pad in dmesg or persisted kernel logs
Repeated PHY initialization failures on i.MX8QM systems after driver load
Unexpected reboots or watchdog resets correlated with PCIe or SATA bring-up on affected hardware

Detection Strategies

Audit deployed kernels on i.MX8QM hardware for the presence of the phy-fsl-imx8qm-hsio module and verify whether the upstream fix commits are included.
Inspect device tree blobs (.dtb) for absence of the fsl,refclk-pad-mode property in nodes binding to the HSIO PHY driver.
Correlate kernel crash dumps with the call path imx_hsio_configure_clk_pad() to identify in-field occurrences.

Monitoring Recommendations

Forward kernel ring buffer events and crash artifacts from embedded Linux fleets to a centralized log platform.
Alert on repeated PHY subsystem faults or NULL pointer oops signatures originating from drivers/phy/freescale/.
Track stable kernel release adoption to confirm patched builds are deployed on i.MX8QM devices.

How to Mitigate CVE-2026-45874

Immediate Actions Required

Update affected Linux kernels to a stable release containing the referenced fix commits.
Where patching is not yet feasible, ensure device trees for i.MX8QM platforms explicitly define the fsl,refclk-pad-mode property to avoid the NULL path.
Restrict the ability of untrusted users to load or rebind kernel modules on affected systems.

Patch Information

The upstream Linux kernel resolves the issue by adding a NULL check on refclk_pad before use in imx_hsio_configure_clk_pad(). Apply the fixes from kernel.org commit 4dd5d4c0361a, kernel.org commit 8d29e81e9cde, kernel.org commit a771b386cb6c, and kernel.org commit dd8b9ba3d970, or upgrade to a stable kernel release that incorporates them.

Workarounds

Add the fsl,refclk-pad-mode property to the relevant HSIO PHY device tree node so the pointer is initialized during probe.
Disable or blacklist the phy-fsl-imx8qm-hsio driver on systems that do not require PCIe or SATA PHY functionality on i.MX8QM.
Limit access to physical or administrative interfaces that allow loading or reconfiguring kernel modules.

bash

# Verify whether the running kernel includes the imx8qm-hsio PHY driver
modinfo phy-fsl-imx8qm-hsio 2>/dev/null | grep -E 'filename|version'

# Check the active device tree for the relevant property
grep -r 'fsl,refclk-pad-mode' /sys/firmware/devicetree/base/ 2>/dev/null

# Inspect kernel logs for related oops signatures
dmesg | grep -i 'imx_hsio\|refclk_pad\|NULL pointer'