CVE-2026-45877 - Vulnerability Details

- HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

Description

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the
reset occurs while clients are still being enumerated. Accessing
cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles.
Add a defensive NULL check for cl->device to ensure stability under
such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007]
Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace:
ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp]
ishtp_reset_handler+0x85/0x1a0 [intel_ishtp]
fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]

Published: 2026-05-27

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A NULL pointer dereference occurs in the Linux kernel driver for Intel ISHTP HID devices during a warm reset. The cl->device pointer can be NULL if a reset is initiated while clients are still being enumerated, and the code blindly accesses cl->device->reference_count. This results in a kernel panic, a critical denial‑of‑service condition that can crash or abruptly reboot the affected system. The vulnerability is a classic null‑pointer dereference (CWE‑476) and can potentially allow an attacker to trigger a system crash if they can initiate or influence the reset process.

Affected Systems

All Linux kernel releases that contain the unpatched Intel ISHTP HID driver, including the mainstream 6.x series and any earlier kernels that compile the module. The precise affected versions are not listed in the CVE, but the issue was identified during multi‑unit warm reboot stress cycles and has been fixed in recent kernel commits referenced in the advisory. Users running older kernels without this patch are at risk.

Risk and Exploitability

The CVSS score is not provided, but the impact of a kernel panic is severe, achieving a high severity assessment. The EPSS score is not available, and the vulnerability is not currently listed in CISA’s KEV catalog, indicating no known large‑scale exploitation. The attack vector is inferred to be a user‑controlled warm reset or a reset triggered by system components while device enumeration is in progress; therefore, privileged users or those able to trigger reboots can exploit the flaw. While the vulnerability is likely to lead solely to denial of service, it represents a critical flaw in kernel stability that must be remedied promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`3703f53b99e4a7c373ce3568dd3f91f175ebb626`	affected	< 0b605e8ce60698c27a26f512968a597fd620d2e8
`3703f53b99e4a7c373ce3568dd3f91f175ebb626`	affected	< feb4bcfd405282de60aba321f13a1272b30c5af4
`3703f53b99e4a7c373ce3568dd3f91f175ebb626`	affected	< 272dac57caa981718e7188c80c703e7bb1998054
`3703f53b99e4a7c373ce3568dd3f91f175ebb626`	affected	< 56f7db581ee73af53cd512e00a6261a025bf1d58

Linux

affected

Version	Status	Constraints
`4.9`	affected	—
`0`	unaffected	< 4.9
`6.12.75`	unaffected	≤ 6.12.*
`6.18.14`	unaffected	≤ 6.18.*
`6.19.4`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[3703f53b99e4a7c373ce3568dd3f91f175ebb626,0b605e8ce60698c27a26f512968a597fd620d2e8)`	affected	code_commit	—
`[3703f53b99e4a7c373ce3568dd3f91f175ebb626,feb4bcfd405282de60aba321f13a1272b30c5af4)`	affected	code_commit	—
`[3703f53b99e4a7c373ce3568dd3f91f175ebb626,272dac57caa981718e7188c80c703e7bb1998054)`	affected	code_commit	—
`[3703f53b99e4a7c373ce3568dd3f91f175ebb626,56f7db581ee73af53cd512e00a6261a025bf1d58)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.9`	affected	generic	—
`[0,4.9)`	unaffected	generic	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.14,6.19.0)`	unaffected	semver	—
`[6.19.4,7.0.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Linux kernel to a version that includes the patched Intel ISHTP HID driver, which adds a NULL check for cl->device before accessing its reference count.
If an immediate kernel update is not feasible, manually apply the patch from the listed Git commits to the ishtp_bus_remove_all_clients function, compile the kernel, and install it, ensuring the NULL check is present.
As a temporary mitigation, disable or postpone any warm reset operations for Intel ISHTP HID devices—for example, by unloading the intel_ishtp module or configuring BIOS/firmware to avoid OS‑initiated warm resets—until the patch is deployed.

Generated by OpenCVE AI on May 27, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8
https://git.kernel.org/stable/c/272dac57caa981718e7188c80c703e7bb1998054
https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58
https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4

History

Wed, 27 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions. KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]
Title		HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0b605e8ce60698c27a26f512968a597fd620d2e8 https://git.kernel.org/stable/c/272dac57caa981718e7188c80c703e7bb1998054 https://git.kernel.org/stable/c/56f7db581ee73af53cd512e00a6261a025bf1d58 https://git.kernel.org/stable/c/feb4bcfd405282de60aba321f13a1272b30c5af4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-27T12:16:46.910Z

Updated: 2026-05-27T12:16:46.910Z

Reserved: 2026-05-13T15:03:33.081Z

Link: CVE-2026-45877

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:01.397

Modified: 2026-05-27T14:48:31.480

Link: CVE-2026-45877

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T18:15:21Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object