Impact
A NULL pointer dereference in the Linux kernel greybus staging lights module occurs when the memory allocation for the channels array fails. Because the channel count is stored before the array allocation, the cleanup routine later accesses a NULL pointer, causing a kernel panic. This flaw is a classic use‑of‑uninitialized or null pointer dereference (CWE‑476) and results in a loss of availability for the affected host.
Affected Systems
All Linux kernel builds that compile the greybus staging lights module and have not yet incorporated the upstream patch are affected. The module is included in many distributions’ default kernel configurations, so any system running such a kernel is at risk unless the module has been removed or disabled.
Risk and Exploitability
The EPSS score is less than 1% and the vulnerability is not listed in CISA’s KEV catalog, indicating no widespread exploitation. The CVSS score of 5.5 classifies it as moderate severity. Based on the description, it is inferred that a local attacker who can trigger the allocation failure by forcing a module unload or inducing memory pressure could cause a kernel crash. The likely attack vector is local; remote is unlikely, and any successful exploitation results in a system reboot and loss of service.
OpenCVE Enrichment
Debian DLA
Ubuntu USN