CVE-2026-46313 Overview
CVE-2026-46313 affects the Linux kernel's Intel IPU6 (Image Processing Unit 6) media driver. The vulnerability is an error pointer dereference in the ipu6_pci_probe() function located in drivers/media/pci/intel/ipu6/ipu6.c. In an error path, isp->psys is confirmed to be an error pointer rather than NULL, causing a conditional check to evaluate true and the error pointer to be dereferenced. The flaw was detected by the Smatch static analysis tool and has been resolved upstream.
Critical Impact
Triggering the error path during PCI probe of the Intel IPU6 device can cause a kernel crash through dereferencing an ERR_PTR() value, resulting in local denial of service.
Affected Products
- Linux kernel versions containing the Intel IPU6 media driver (drivers/media/pci/intel/ipu6/ipu6.c)
- Systems with Intel Image Processing Unit 6 (IPU6) hardware
- Stable kernel branches prior to the patches referenced in the upstream commits
Discovery Timeline
- 2026-06-08 - CVE-2026-46313 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-46313
Vulnerability Analysis
The vulnerability resides in the ipu6_pci_probe() function of the Intel IPU6 media driver at drivers/media/pci/intel/ipu6/ipu6.c:690. During PCI device probing, the driver initializes the isp->psys pointer. If initialization fails, the pointer is assigned an error value through the ERR_PTR() macro rather than NULL.
The error handling path checks isp->psys before performing cleanup. Because the check treats a non-NULL value as a valid pointer, it proceeds to dereference what is actually an encoded error code. This causes a kernel oops when control flow reaches out_ipu6_bus_del_devices.
The fix sets isp->psys to NULL before jumping to the cleanup label, ensuring the subsequent check correctly skips dereferencing the invalid pointer. This is a kernel-level Null Pointer Dereference class issue compounded with improper error-value handling.
Root Cause
The root cause is improper distinction between NULL pointers and Linux kernel ERR_PTR() encoded error values during cleanup. The kernel uses ERR_PTR() to fold error codes into pointer values, which are non-NULL but invalid for dereferencing. Cleanup code that only tests for NULL fails to handle this case, leading to dereference of the encoded error address.
Attack Vector
Exploitation requires the error path in ipu6_pci_probe() to execute, which generally occurs during device initialization when component subsystems fail to register. A local attacker with the ability to influence driver loading, or a system experiencing transient hardware initialization failures, may trigger the dereference. The result is a kernel crash producing local denial of service rather than code execution or privilege escalation.
No verified exploitation code is publicly available. The issue was found through static analysis with Smatch and patched in mainline. Technical details are available in the upstream kernel commits: Kernel Git Commit 8dd088b, Kernel Git Commit c352f90e, Kernel Git Commit f43e3064, and Kernel Git Commit fad134c4.
Detection Methods for CVE-2026-46313
Indicators of Compromise
- Kernel oops or panic logs referencing ipu6_pci_probe or out_ipu6_bus_del_devices in dmesg
- Crash signatures showing dereference of an address consistent with an encoded ERR_PTR() value (typically a small negative offset from the top of the address space)
- Repeated probe failures on systems containing Intel IPU6 hardware
Detection Strategies
- Audit installed kernel versions against the patch commits referenced in the upstream stable tree
- Monitor kernel ring buffer output during boot and module loading for IPU6 driver failures
- Use kernel crash dump analysis (kdump) to identify whether faults trace back to the IPU6 probe path
Monitoring Recommendations
- Forward dmesg and journalctl -k output to a central log platform to detect kernel oops events
- Establish alerting on kernel crash artifacts in /var/crash on systems with Intel IPU6 cameras
- Track package and kernel update status across fleet inventory to confirm patched versions are deployed
How to Mitigate CVE-2026-46313
Immediate Actions Required
- Update the Linux kernel to a stable release containing the fix commits referenced above
- Identify systems carrying Intel IPU6 hardware, primarily certain Intel laptop and tablet platforms with integrated cameras
- Prioritize patching on systems where unprivileged users can influence driver initialization or hot-plug events
Patch Information
The vulnerability is resolved in upstream Linux kernel stable trees through commits 8dd088b8, c352f90e, f43e3064, and fad134c4. The fix sets isp->psys = NULL before the cleanup jump so the conditional check correctly avoids dereferencing the error pointer. Apply distribution-provided kernel updates as soon as they are available.
Workarounds
- Blacklist the intel_ipu6 module on systems where IPU6 camera functionality is not required, using /etc/modprobe.d/
- Restrict physical and local console access to reduce risk of triggering probe-time crashes
- Disable the IPU6 device in firmware (BIOS/UEFI) where supported, if camera functionality is unused
# Configuration example: blacklist the IPU6 driver until patched
echo 'blacklist intel_ipu6' | sudo tee /etc/modprobe.d/blacklist-ipu6.conf
sudo update-initramfs -u
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
