CVE-2026-31544 - Vulnerability Details

- firmware: arm_scmi: Fix NULL dereference on notify error path

Description

In the Linux kernel, the following vulnerability has been resolved:

firmware: arm_scmi: Fix NULL dereference on notify error path

Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier
registration for unsupported events") the call chains leading to the helper
__scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to
get an handler for the requested event key, while the current helper can
still return a NULL when no handler could be found or created.

Fix by forcing an ERR_PTR return value when the handler reference is NULL.

Published: 2026-04-24

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux firmware subsystem for Arm Scmi had a flaw that allowed a NULL pointer dereference when handling notifications for unsupported events. The helper function responsible for retrieving an event handler could return NULL instead of an error pointer, causing code later to dereference this NULL value and crash the kernel. This is a classic null dereference vulnerability (CWE‑476) that results in a kernel OOPS and loss of availability.

Affected Systems

All releases of the Linux kernel that contain the arm_scmi firmware subsystem and do not include the commit b5daf93b809d1 (the fix). No explicit vulnerable version range is listed, so any kernel prior to that commit is potentially affected. The vulnerability applies to the Linux:Linux product family.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium‑severity condition. The EPSS score of < 1 % shows that the probability of exploitation is very low at present. The vulnerability is not listed in the CISA KEV catalog, which further suggests limited current exploitation activity. The likely attack vector is local, requiring code that can trigger the scm event path; the issue primarily leads to a crash rather than privilege escalation. Overall risk is moderate, with the main threat being denial of service through a kernel crash.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`b5daf93b809d13a194f8a8eeacfab1cfa241bbc3`	affected	< 70d9bd9a2e683afe6200b0c20af22f06f1a199a4
`b5daf93b809d13a194f8a8eeacfab1cfa241bbc3`	affected	< 8414d2800c34528467df23ce6192c254a73e4459
`b5daf93b809d13a194f8a8eeacfab1cfa241bbc3`	affected	< 555317d6100164748f7d09f80142739bd29f0cda

Linux

affected

Version	Status	Constraints
`6.17`	affected	—
`0`	unaffected	< 6.17
`6.18.20`	unaffected	≤ 6.18.*
`6.19.10`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc1::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc2::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc3::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc4::::::
	cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[b5daf93b809d13a194f8a8eeacfab1cfa241bbc3,70d9bd9a2e683afe6200b0c20af22f06f1a199a4)`	affected	code_commit	—
`[b5daf93b809d13a194f8a8eeacfab1cfa241bbc3,8414d2800c34528467df23ce6192c254a73e4459)`	affected	code_commit	—
`[b5daf93b809d13a194f8a8eeacfab1cfa241bbc3,555317d6100164748f7d09f80142739bd29f0cda)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.17`	affected	generic	—
`[0,6.17)`	unaffected	generic	—
`[6.18.20,6.19.0)`	unaffected	semver	—
`[6.19.10,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Linux kernel update that incorporates commit b5daf93b809d1.
If an update is unavailable, backport the patch to your current kernel source and rebuild the kernel.
After rebuilding, verify that Scmi event notifications no longer trigger NULL dereference errors, and if problems persist, consider disabling Scmi support in the kernel configuration.

Generated by OpenCVE AI on April 28, 2026 at 06:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/555317d6100164748f7d09f80142739bd29f0cda
https://git.kernel.org/stable/c/70d9bd9a2e683afe6200b0c20af22f06f1a199a4
https://git.kernel.org/stable/c/8414d2800c34528467df23ce6192c254a73e4459
https://lore.kernel.org/linux-cve-announce/2026042424-CVE-2026-31544-7fc3@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-31544
https://www.cve.org/CVERecord?id=CVE-2026-31544

History

Tue, 28 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:o:linux:linux_kernel:7.0:rc1:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc2:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc3:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc4:::::: cpe:2.3:o:linux:linux_kernel:7.0:rc5::::::

Sat, 25 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476
References		https://lore.kernel.org/linux-cve-announce/2026042424-CVE-2026-31544-7fc3@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-31544 https://www.cve.org/CVERecord?id=CVE-2026-31544
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Fri, 24 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix NULL dereference on notify error path Since commit b5daf93b809d1 ("firmware: arm_scmi: Avoid notifier registration for unsupported events") the call chains leading to the helper __scmi_event_handler_get_ops expect an ERR_PTR to be returned on failure to get an handler for the requested event key, while the current helper can still return a NULL when no handler could be found or created. Fix by forcing an ERR_PTR return value when the handler reference is NULL.
Title		firmware: arm_scmi: Fix NULL dereference on notify error path
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/555317d6100164748f7d09f80142739bd29f0cda https://git.kernel.org/stable/c/70d9bd9a2e683afe6200b0c20af22f06f1a199a4 https://git.kernel.org/stable/c/8414d2800c34528467df23ce6192c254a73e4459

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-04-24T14:33:13.173Z

Updated: 2026-05-11T22:10:49.780Z

Reserved: 2026-03-09T15:48:24.114Z

Link: CVE-2026-31544

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-04-24T15:16:28.457

Modified: 2026-04-28T18:32:06.167

Link: CVE-2026-31544

Redhat

Severity : Low

Publid Date: 2026-04-24T00:00:00Z

Links: CVE-2026-31544 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T07:00:09Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object