Description
In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the
reset occurs while clients are still being enumerated. Accessing
cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles.
Add a defensive NULL check for cl->device to ensure stability under
such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007]
Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace:
ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp]
ishtp_reset_handler+0x85/0x1a0 [intel_ishtp]
fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During a warm reset flow, the Intel ISHTP HID driver in the Linux kernel can dereference a NULL pointer when the cl->device pointer is unset while clients are still being enumerated. This leads to an immediate kernel panic, abruptly bringing the system to a halt. The flaw is a classic null‑pointer dereference (CWE‑476) resulting in a denial‑of‑service condition that leaves the host inoperable until rebooted.

Affected Systems

Any Linux kernel build that contains the Intel ISHTP HID (intel‑ish‑hid) module without the patch is affected. The CVE data do not list specific kernel versions, so all unpatched kernels that compile this module remain vulnerable until the fix is applied.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium overall severity, but the direct kernel panic means the impact is high for the affected host. The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited known exploitation. The likely attack vector is a situation where a warm reset is initiated while client enumeration is in progress—this could be triggered by user or system requests for a reboot, or by firmware that initiates resets on hot‑plug events. Exploitation would therefore require privileged or local user capability to trigger such a reset, or a malicious firmware interaction. The consequence is system downtime until recovery.

Generated by OpenCVE AI on May 28, 2026 at 15:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a release that contains the patch, which adds a NULL check before accessing cl->device->reference_count in the ishtp_bus_remove_all_clients routine.
  • If an immediate kernel upgrade is not available, manually apply the defensive NULL check from the referenced Git commits to the ishtp_bus_remove_all_clients function, rebuild the kernel, and install the updated image so that the check is enforced.
  • As a temporary measure, avoid or delay warm‑reset operations for Intel ISHTP HID devices—e.g., unload the intel_ishtp module or configure BIOS/firmware to suppress OS‑initiated warm resets—until the patch is deployed.

Generated by OpenCVE AI on May 28, 2026 at 15:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low

Wed, 27 May 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic. This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions. KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ish_fw_update_wq fw_reset_work_fn Call Trace: ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp] ishtp_reset_handler+0x85/0x1a0 [intel_ishtp] fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]
Title HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-27T12:16:46.910Z

Reserved: 2026-05-13T15:03:33.081Z

Link: CVE-2026-45877

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:01.397

Modified: 2026-06-17T10:52:39.260

Link: CVE-2026-45877

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-27T00:00:00Z

Links: CVE-2026-45877 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:30:05Z

Weaknesses