Description
In the Linux kernel, the following vulnerability has been resolved:

cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()

The update_cpu_qos_request() function attempts to initialize the 'freq'
variable by dereferencing 'cpudata' before verifying if the 'policy'
is valid.

This issue occurs on systems booted with the "nosmt" parameter, where
all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,
any call to update_qos_requests() will result in a NULL pointer
dereference as the code will attempt to access pstate.turbo_freq using
the NULL cpudata pointer.

Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap()
after initializing the 'freq' variable, so it is better to defer the
'freq' until intel_pstate_get_hwp_cap() has been called.

Fix this by deferring the 'freq' assignment until after the policy and
driver_data have been validated.

[ rjw: Added one paragraph to the changelog ]
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A null pointer dereference occurs in the Linux kernel function update_cpu_qos_request() when the system boots with the 'nosmt' parameter. The code accesses global data through a NULL pointer before verifying that the policy is valid, which can trigger a kernel crash (kernel oops) and render the host unusable until reboot. This vulnerability directly compromises system availability and could be exploited by any local actor who can reboot or reboot with the affected parameter enabled.

Affected Systems

Affected systems are all Linux kernel installations that include the Intel P-state driver in its current form. The patch is applied at the kernel level; no product version list was provided, so it applies to all current kernels that have not yet incorporated the fix. The problem arises specifically when the nosmt boot flag causes sibling SMT CPUs to report a NULL cpudata pointer.

Risk and Exploitability

The CVSS score is 5.5, the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the system to boot with the nosmt flag, meaning the attack surface is limited to local or remote login that can influence boot parameters. Once active, the flaw leads to a denial‑of‑service condition, but does not provide an attacker with elevated privileges or persistence beyond the crash. Given the lack of a publicly known exploit and the requirement to influence the boot command line, the likelihood of exploitation in the wild is considered low to moderate, while the impact remains high due to the critical failure of system uptime.

Generated by OpenCVE AI on May 9, 2026 at 02:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that contains the fix based on the commits cited in the advisory
  • If an immediate kernel upgrade is not feasible, modify the boot configuration to remove or disable the 'nosmt' parameter, which triggers the null dereference
  • After applying the update or rebooting with the safe configuration, ensure the system operates normally and monitor for any unexpected crashes

Generated by OpenCVE AI on May 9, 2026 at 02:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the 'freq' variable by dereferencing 'cpudata' before verifying if the 'policy' is valid. This issue occurs on systems booted with the "nosmt" parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer. Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the 'freq' variable, so it is better to defer the 'freq' until intel_pstate_get_hwp_cap() has been called. Fix this by deferring the 'freq' assignment until after the policy and driver_data have been validated. [ rjw: Added one paragraph to the changelog ]
Title cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T14:21:42.876Z

Reserved: 2026-05-01T14:12:56.007Z

Link: CVE-2026-43401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T15:16:51.543

Modified: 2026-05-08T15:16:51.543

Link: CVE-2026-43401

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43401 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T02:30:16Z

Weaknesses