CVE-2026-46284 Overview
CVE-2026-46284 is a NULL pointer dereference vulnerability in the Linux kernel's mm/hugetlb subsystem. The flaw occurs when the kernel command line contains hugepages, hugepagesz, or default_hugepagesz parameters without an = separator. Early parameter parsing passes a NULL value to hugetlb_add_param(), which then dereferences the pointer through strlen(). The resulting fault crashes the system during early boot before userspace initializes.
Critical Impact
A malformed kernel command-line argument triggers a NULL pointer dereference in hugetlb_add_param(), causing a denial of service during early boot.
Affected Products
- Linux kernel versions containing the unpatched hugetlb_add_param() parameter handler
- Distributions shipping the affected mm/hugetlb code prior to the upstream fix
- Systems whose bootloader configuration includes hugepages, hugepagesz, or default_hugepagesz without an = value
Discovery Timeline
- 2026-06-08 - CVE-2026-46284 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46284
Vulnerability Analysis
The Linux kernel parses boot-time parameters before most kernel subsystems initialize. The hugetlb_add_param() function registers hugepage-related options supplied on the command line. When a parameter such as hugepages is passed without an = separator, the early parameter framework forwards a NULL value pointer to the handler. The handler then calls strlen() on that pointer without first validating it, dereferencing address zero and triggering a kernel oops during early boot.
The upstream patch rejects NULL values in hugetlb_add_param() and returns -EINVAL, allowing the kernel to continue booting while ignoring the malformed parameter. See the kernel commits 2774bcf, 357c6d0, and c45b354 for the resolution.
Root Cause
The hugetlb_add_param() function assumes the parameter value pointer is always non-NULL. It passes that pointer directly to strlen() without input validation. The early boot parameter parser, however, supplies NULL when an option appears on the command line without an = and a value. The mismatched contract between caller and callee produces the dereference.
Attack Vector
Exploitation requires the ability to modify the kernel command line. This typically requires physical access, bootloader access, or privileged control over boot configuration files such as /etc/default/grub. Remote unauthenticated exploitation is not applicable. The outcome is a denial-of-service condition at boot, not code execution or privilege escalation.
The vulnerability can also be triggered unintentionally by administrators or automation that constructs malformed command lines, producing unbootable systems after configuration changes.
Detection Methods for CVE-2026-46284
Indicators of Compromise
- Kernel oops or panic messages referencing hugetlb_add_param and strlen in early boot logs captured via serial console or dmesg after recovery
- Boot failures immediately following a change to GRUB_CMDLINE_LINUX or equivalent bootloader configuration
- Presence of bare hugepages, hugepagesz, or default_hugepagesz tokens without = in /proc/cmdline on systems that did boot on a patched kernel
Detection Strategies
- Audit bootloader configuration files for hugepages, hugepagesz, and default_hugepagesz tokens missing an =value suffix
- Compare running kernel versions against the patched commits referenced in the upstream advisory to confirm fix presence
- Review configuration management changes that modify kernel command-line parameters for malformed hugetlb options
Monitoring Recommendations
- Centralize collection of /proc/cmdline and kernel version data from Linux fleets to identify unpatched hosts
- Alert on bootloader configuration file modifications in change-controlled environments
- Track repeated boot failures across managed hosts to surface configuration-induced outages
How to Mitigate CVE-2026-46284
Immediate Actions Required
- Update the Linux kernel to a version that includes the upstream fix in mm/hugetlb
- Inspect bootloader configuration for malformed hugetlb parameters and correct any entries missing =value
- Restrict write access to bootloader configuration files and the boot partition to administrators only
Patch Information
The fix is available in the mainline and stable Linux kernel trees. Refer to the upstream commits 2774bcf714739cc6bb86f8812167bb9fbda70f6a, 357c6d084b6137ae640209c5bfd01180f985c015, and c45b354911d01565156e38d7f6bc07edb51fc34c. Apply distribution kernel updates that backport these changes.
Workarounds
- Ensure every hugetlb parameter on the kernel command line uses an explicit =value form, for example hugepagesz=2M and hugepages=512
- Remove any bare hugepages, hugepagesz, or default_hugepagesz tokens from GRUB_CMDLINE_LINUX and regenerate the bootloader configuration
- Recover affected systems by editing the kernel command line at the bootloader prompt to remove the malformed parameter before booting
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
