Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46261

CVE-2026-46261: Linux Kernel SPI NULL Pointer Vulnerability

CVE-2026-46261 is a NULL pointer dereference flaw in the Linux kernel's SPI wpcm-fiu driver that could cause system crashes. This post covers the technical details, affected kernel versions, impact, and mitigation.

Published:

CVE-2026-46261 Overview

CVE-2026-46261 is a NULL pointer dereference vulnerability in the Linux kernel's wpcm-fiu SPI driver. The flaw resides in the wpcm_fiu_probe() function, where the return value of platform_get_resource_byname() is passed directly to resource_size() without a NULL check. When the platform resource lookup fails and returns NULL, the kernel dereferences an invalid pointer, causing a crash.

Critical Impact

Triggering the NULL pointer dereference during driver probe results in a kernel crash, leading to denial of service on affected Linux systems using the Nuvoton WPCM450 Flash Interface Unit SPI driver.

Affected Products

  • Linux kernel versions containing the spi-wpcm-fiu driver prior to the upstream fix
  • Stable kernel branches referenced in the kernel.org commits
  • Embedded systems and BMC platforms using the Nuvoton WPCM450 SoC

Discovery Timeline

  • 2026-06-03 - CVE CVE-2026-46261 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-46261

Vulnerability Analysis

The vulnerability exists in the wpcm_fiu_probe() function within the Nuvoton WPCM450 Flash Interface Unit (FIU) SPI controller driver. During driver initialization, the code calls platform_get_resource_byname() to retrieve a memory resource descriptor by name. The return value is then passed to resource_size() to compute the size of the memory region and assign it to fiu->memory_size.

The platform_get_resource_byname() API can legitimately return NULL when the requested named resource is not present in the device tree or platform data. The original code did not validate this return value before dereferencing it through resource_size(). A NULL pointer dereference inside kernel context produces an oops and halts the affected code path, disrupting device probing and overall system stability.

Root Cause

The root cause is missing input validation [CWE-476] on a kernel API return value. The fiu->memory_size assignment occurred before the error check for devm_ioremap_resource(), bypassing the only place where a NULL or invalid resource would have been caught. This ordering defect allowed an unchecked NULL pointer to reach resource_size().

Attack Vector

The vulnerability is reachable through the driver probe path. Local users or attackers with the ability to influence platform device registration, device tree configuration, or module loading on systems using the wpcm-fiu driver can trigger the crash. The flaw is constrained to platforms instantiating the affected SPI controller, primarily embedded and baseboard management controller environments.

The upstream fix reorders the assignment so that fiu->memory_size is set only after devm_ioremap_resource() returns successfully, ensuring the resource pointer is validated before any size computation.

Detection Methods for CVE-2026-46261

Indicators of Compromise

  • Kernel oops or panic messages referencing wpcm_fiu_probe or resource_size in dmesg and /var/log/kern.log
  • Repeated probe failures for the spi-wpcm-fiu driver during boot
  • Unexpected reboots on Nuvoton WPCM450-based hardware coinciding with SPI subsystem initialization

Detection Strategies

  • Inventory Linux kernel versions on embedded and BMC platforms and compare against the fixed commits listed on kernel.org
  • Audit kernel build configurations for CONFIG_SPI_WPCM_FIU to identify systems exposing the vulnerable code path
  • Review crash dumps and kernel ring buffers for NULL pointer dereferences originating in the SPI driver stack

Monitoring Recommendations

  • Forward kernel logs to a centralized logging platform to identify recurring oops signatures across fleets
  • Alert on driver probe failures and repeated kernel taint flags on production embedded systems
  • Track upstream stable branch updates and integrate kernel CVE feeds into vulnerability management workflows

How to Mitigate CVE-2026-46261

Immediate Actions Required

  • Update affected Linux kernels to a stable release that incorporates the upstream patches referenced in the kernel.org commits
  • Identify systems running the spi-wpcm-fiu driver and prioritize patching of BMC and embedded platforms
  • Validate device tree configurations to ensure required named resources are present for the FIU controller

Patch Information

The fix moves the fiu->memory_size assignment after the devm_ioremap_resource() error check, preventing the NULL pointer dereference. Patches are available in the following upstream commits:

Workarounds

  • Disable the spi-wpcm-fiu module by blacklisting it on systems that do not require the Nuvoton FIU controller
  • Rebuild custom kernels without CONFIG_SPI_WPCM_FIU where the driver is unnecessary
  • Restrict local access to systems running unpatched kernels until updates can be applied
bash
# Blacklist the affected driver on systems where it is not required
echo "blacklist spi-wpcm-fiu" | sudo tee /etc/modprobe.d/blacklist-wpcm-fiu.conf
sudo update-initramfs -u

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.