CVE-2026-46257 Overview
CVE-2026-46257 is a Linux kernel vulnerability in the SP804 timer driver (clocksource/drivers/timer-sp804). The flaw causes a kernel Oops on ARM32 platforms when read_current_timer is invoked and the SP804 is not registered as the sched_clock. The delay timer shares a clkevt instance with sched_clock, and when sp804_clocksource_and_sched_clock_init runs without use_sched_clock set, the shared structure remains uninitialized. The subsequent dereference of sched_clkevt->value triggers a kernel crash.
Critical Impact
Local triggering of read_current_timer on affected ARM32 platforms produces a kernel Oops, resulting in denial of service for the affected system.
Affected Products
- Linux kernel builds including the timer-sp804 clocksource driver
- ARM32 platforms using SP804 hardware where SP804 is not selected as sched_clock
- Kernel branches prior to the fixes referenced in the stable git commits
Discovery Timeline
- 2026-06-03 - CVE-2026-46257 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-46257
Vulnerability Analysis
The SP804 driver in the Linux kernel manages dual timer hardware commonly used on ARM32 platforms. The driver exposes both a delay timer and an optional sched_clock source. Both functions historically share a single sched_clkevt structure to track timer state.
When sp804_clocksource_and_sched_clock_init executes with the use_sched_clock parameter unset, the sched_clkevt pointer is never assigned a backing instance. The function sp804_register_delay_timer, however, runs unconditionally during initialization. Any later call to read_current_timer reaches sp804_read, which dereferences sched_clkevt->value and faults on the null or uninitialized pointer. The resulting kernel Oops halts the offending context and can destabilize the system.
Root Cause
The root cause is a null pointer dereference [CWE-476] arising from shared state between two logically independent timer consumers. The delay timer relied on initialization performed only when sched_clock registration occurred. Conditional initialization combined with unconditional registration produced a reachable uninitialized read path.
Attack Vector
The vulnerability is triggered locally through normal kernel execution paths that invoke read_current_timer on affected ARM32 hardware configurations. No network vector or authentication bypass is involved. Impact is limited to availability on systems running vulnerable kernels with SP804 hardware where SP804 is not chosen as the scheduler clock source.
The upstream fix declares a dedicated clkevt instance exclusively for the delay timer. This decouples delay timer state from sched_clock registration and ensures read_current_timer operates correctly regardless of whether SP804 is selected as sched_clock. See the Kernel Git Commit Log and the follow-up commit for the patch details.
Detection Methods for CVE-2026-46257
Indicators of Compromise
- Kernel Oops messages referencing sp804_read or read_current_timer in dmesg or serial console output
- Unexpected kernel panics or task hangs on ARM32 boards using SP804 timer hardware
- Crash backtraces involving sp804_register_delay_timer followed by null pointer dereference faults
Detection Strategies
- Inventory ARM32 systems running kernels built with CONFIG_ARM_TIMER_SP804 and verify whether SP804 is selected as sched_clock
- Compare the running kernel version against the stable commit hashes 693b0b594b0f and 694921a93f3e to confirm patch inclusion
- Review boot logs for SP804 initialization sequences without use_sched_clock to identify exposed configurations
Monitoring Recommendations
- Centralize kernel logs from ARM32 deployments and alert on Oops or panic events referencing SP804 symbols
- Track kernel version drift across embedded fleets to surface unpatched hosts
- Monitor system availability metrics for the affected device classes to detect crash-induced reboots
How to Mitigate CVE-2026-46257
Immediate Actions Required
- Apply the upstream kernel fixes referenced in commits 693b0b594b0f and 694921a93f3e from the stable tree
- Rebuild and redeploy kernels for ARM32 platforms that use SP804 hardware
- Restrict physical and administrative access to systems pending patch deployment to reduce exposure to local denial of service
Patch Information
The fix introduces a dedicated clkevt instance for the SP804 delay timer, removing the shared dependency with sched_clock. Patches are available through the Linux stable kernel tree. Refer to the primary fix commit and the related commit for backporting guidance.
Workarounds
- Where feasible, configure the kernel to register SP804 as the sched_clock so the shared sched_clkevt instance is initialized
- Disable the SP804 delay timer path on platforms that can rely on an alternate delay timer source
- Prioritize kernel updates on affected embedded hardware rather than relying on configuration workarounds
# Verify whether the running kernel contains the SP804 fix
uname -r
zcat /proc/config.gz | grep -i sp804
dmesg | grep -i sp804
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
