CVE-2026-43122 - Vulnerability Details

- ACPI: processor: Update cpuidle driver check in __acpi_processor_start()

Description

In the Linux kernel, the following vulnerability has been resolved:

ACPI: processor: Update cpuidle driver check in __acpi_processor_start()

Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle
driver registration") moved the ACPI idle driver registration to
acpi_processor_driver_init() and acpi_processor_power_init() does
not register an idle driver any more.

Accordingly, the cpuidle driver check in __acpi_processor_start() needs
to be updated to avoid calling acpi_processor_power_init() without a
cpuidle driver, in which case the registration of the cpuidle device
in that function would lead to a NULL pointer dereference in
__cpuidle_register_device().

Published: 2026-05-06

Score: n/a

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel bug is triggered when the ACPI idle driver registration logic is executed without an active cpuidle driver. The missing check causes the system to dereference a null pointer in __cpuidle_register_device(), potentially leading to a kernel panic and service interruption. The vulnerability does not directly grant code execution, but a crash requires a reboot to restore service, resulting in downtime.

Affected Systems

The affected product is the Linux Operating System’s kernel, but no specific kernel releases are listed in the advisory. Organizations should verify if their current kernel build contains the commit that fixed this bug.

Risk and Exploitability

An exploit would likely require local access to manipulate ACPI events to trigger the faulty path. Because the attack vector is not clearly documented, the risk of remote exploitation is low. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the absence of a mitigation path in widely used kernels warrants cautious response. The kernel crash would end the affected process, so the main risk is availability loss rather than confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`7a8c994cbb2db3c5335cee35fd486557f5aaf7e1`	affected	< 68f38f648e4b5bed2aeadd2f711e25302e6490f8
`7a8c994cbb2db3c5335cee35fd486557f5aaf7e1`	affected	< 6cfed39c2ce64ac024bbde458a9727105e0b8c66
`7a8c994cbb2db3c5335cee35fd486557f5aaf7e1`	affected	< 0089ce1c056aee547115bdc25c223f8f88c08498

Linux

affected

Version	Status	Constraints
`6.18`	affected	—
`0`	unaffected	< 6.18
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[7a8c994cbb2db3c5335cee35fd486557f5aaf7e1,68f38f648e4b5bed2aeadd2f711e25302e6490f8)`	affected	code_commit	—
`[7a8c994cbb2db3c5335cee35fd486557f5aaf7e1,6cfed39c2ce64ac024bbde458a9727105e0b8c66)`	affected	code_commit	—
`[7a8c994cbb2db3c5335cee35fd486557f5aaf7e1,0089ce1c056aee547115bdc25c223f8f88c08498)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.18`	affected	generic	—
`[0,6.18)`	unaffected	generic	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

apply the kernel update that includes commit 7a8c994cbb2d to fix the NULL pointer dereference in __acpi_processor_start()
ensure the ACPI idle driver remains enabled in system configuration to prevent the faulty path from being invoked
monitor system logs for ACPI-related warnings or errors to detect unexpected crashes early

Generated by OpenCVE AI on May 6, 2026 at 14:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0089ce1c056aee547115bdc25c223f8f88c08498
https://git.kernel.org/stable/c/68f38f648e4b5bed2aeadd2f711e25302e6490f8
https://git.kernel.org/stable/c/6cfed39c2ce64ac024bbde458a9727105e0b8c66
https://lore.kernel.org/linux-cve-announce/2026050618-CVE-2026-43122-6d5d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43122
https://www.cve.org/CVERecord?id=CVE-2026-43122

History

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050618-CVE-2026-43122-6d5d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43122 https://www.cve.org/CVERecord?id=CVE-2026-43122

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: ACPI: processor: Update cpuidle driver check in __acpi_processor_start() Commit 7a8c994cbb2d ("ACPI: processor: idle: Optimize ACPI idle driver registration") moved the ACPI idle driver registration to acpi_processor_driver_init() and acpi_processor_power_init() does not register an idle driver any more. Accordingly, the cpuidle driver check in __acpi_processor_start() needs to be updated to avoid calling acpi_processor_power_init() without a cpuidle driver, in which case the registration of the cpuidle device in that function would lead to a NULL pointer dereference in __cpuidle_register_device().
Title		ACPI: processor: Update cpuidle driver check in __acpi_processor_start()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0089ce1c056aee547115bdc25c223f8f88c08498 https://git.kernel.org/stable/c/68f38f648e4b5bed2aeadd2f711e25302e6490f8 https://git.kernel.org/stable/c/6cfed39c2ce64ac024bbde458a9727105e0b8c66

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:08.893Z

Updated: 2026-05-06T11:27:08.893Z

Reserved: 2026-05-01T14:12:55.987Z

Link: CVE-2026-43122

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:29.067

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43122

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43122 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-06T14:30:05Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object