Description
In the Linux kernel, the following vulnerability has been resolved:

phy: fsl-imx8mq-usb: set platform driver data

Add missing platform_set_drvdata() as the data will be used in remove().
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The fsl‑imx8mq USB PHY driver fails to associate driver data during initialization because platform_set_drvdata() is missing. This deficiency leads to an uninitialized pointer in the driver’s remove() routine, which can be dereferenced when a USB device is detached or the driver is unloaded. The resulting null pointer dereference can cause a kernel panic, producing a local denial‑of‑service. This is an example of a null pointer dereference vulnerability (CWE‑476). Based on the description, it is inferred that the impact is limited to availability rather than confidentiality or integrity.

Affected Systems

Any Linux kernel that includes the fsl‑imx8mq USB PHY driver is potentially affected. Based on the description, it is inferred that all distributions shipping this driver code remain at risk until the patch is applied or the driver is disabled. No specific kernel versions are listed, so the risk applies broadly to any affected kernel configuration that loads this module.

Risk and Exploitability

The EPSS score of < 1% indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread known exploitation. It requires local ability to trigger a USB removal or driver unload, so the attack vector is local. With a CVSS score of 5.5, the flaw is of moderate severity. The likely attack vector is a local user or attacker who has permission to power cycle USB devices or unload modules; the vulnerability is not a concern for remote exploitation.

Generated by OpenCVE AI on May 8, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the kernel patch that adds platform_set_drvdata() to the fsl‑imx8mq USB PHY driver, or upgrade to a kernel version containing this fix
  • If an upgrade is not possible, unload or disable the fsl‑imx8mq USB driver module to avoid crashes during removal
  • Monitor system logs for kernel panic messages related to USB device removal and schedule frequent restarts as a temporary mitigation

Generated by OpenCVE AI on May 8, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: phy: fsl-imx8mq-usb: set platform driver data Add missing platform_set_drvdata() as the data will be used in remove().
Title phy: fsl-imx8mq-usb: set platform driver data
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:21:06.217Z

Reserved: 2026-05-01T14:12:55.997Z

Link: CVE-2026-43259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:46.777

Modified: 2026-05-08T20:31:42.360

Link: CVE-2026-43259

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43259 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T21:45:19Z

Weaknesses