Description
In the Linux kernel, the following vulnerability has been resolved:

pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()

commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"),
changed the create handle to FD_PREPARE(), but it caused kernel
null-ptr-deref because after call to retain_and_null_ptr(src_info),
src_info is re-used for adding it to the global list.

Getting the following kernel panic in papr_hvpipe_dev_create_handle()
when trying to add src_info to the list.
Kernel attempted to write user page (0) - exploit attempt? (uid: 0)
BUG: Kernel NULL pointer dereference on write at 0x00000000
Faulting instruction address: 0xc0000000001b44a0
Oops: Kernel access of bad area, sig: 11 [#1]
...
Call Trace:
papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable)
sys_ioctl+0x528/0x1064
system_call_exception+0x128/0x360
system_call_vectored_common+0x15c/0x2ec

Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto
cleanup is getting too convoluted. This is mainly because we need to
ensure only 1 user get the srcID handle. To simplify this, we allocate
prepare the src_info in the beginning and add it to the global list
under a spinlock after checking that no duplicates exist.

This simplify the error handling where if the FD_ADD fails, we can
simply remove the src_info from the list and consume any pending msg in
hvpipe to be cleared, after src_info became visible in the global list.
Published: 2026-05-28
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The fault occurs in the Linux kernel’s papr-hvpipe driver when the papr_hvpipe_dev_create_handle() function reuses a source information structure after a retain_and_null_ptr call. This results in a NULL pointer dereference that crashes the kernel, as the code attempts to write user data to address zero. The crash causes a kernel panic, leading to a denial of service. The weakness is a null-pointer dereference, formally identified as CWE‑476.

Affected Systems

This vulnerability affects Linux kernel builds that include the papr-hvpipe module. The description does not list specific kernel releases; any kernel containing the unpatched papr-hvpipe code is at risk. No version range is provided, so all kernels with that module should be considered vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score is not supplied, and EPSS is not available, so numerical risk quantification is missing. The flaw can cause a kernel panic, which results in a denial of service. An attacker would need to trigger the fault by invoking the problematic ioctl that calls papr_hvpipe_dev_create_handle(). The likely attack vector is a privileged ioctl invocation, inferred from the need to access the papr-hvpipe device, but the description does not specify the required privileges. The issue is not listed in CISA KEV, and there is no evidence of exploitation in the wild.

Generated by OpenCVE AI on May 28, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes commit 6d3789d347a7, which replaces papr_hvpipe_dev_create_handle() with FD_PREPARE() and removes the null pointer dereference
  • Reboot affected nodes after updating the kernel to ensure the changes take effect and the papr-hvpipe driver is reloaded
  • Configure device access controls so that only trusted users and processes can open the papr-hvpipe device, and monitor for abnormal ioctl usage to reduce the attack surface

Generated by OpenCVE AI on May 28, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle() commit 6d3789d347a7 ("papr-hvpipe: convert papr_hvpipe_dev_create_handle() to FD_PREPARE()"), changed the create handle to FD_PREPARE(), but it caused kernel null-ptr-deref because after call to retain_and_null_ptr(src_info), src_info is re-used for adding it to the global list. Getting the following kernel panic in papr_hvpipe_dev_create_handle() when trying to add src_info to the list. Kernel attempted to write user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on write at 0x00000000 Faulting instruction address: 0xc0000000001b44a0 Oops: Kernel access of bad area, sig: 11 [#1] ... Call Trace: papr_hvpipe_dev_ioctl+0x1f4/0x48c (unreliable) sys_ioctl+0x528/0x1064 system_call_exception+0x128/0x360 system_call_vectored_common+0x15c/0x2ec Now, the error handling with FD_PREPARE's file cleanup and __free(kfree) auto cleanup is getting too convoluted. This is mainly because we need to ensure only 1 user get the srcID handle. To simplify this, we allocate prepare the src_info in the beginning and add it to the global list under a spinlock after checking that no duplicates exist. This simplify the error handling where if the FD_ADD fails, we can simply remove the src_info from the list and consume any pending msg in hvpipe to be cleared, after src_info became visible in the global list.
Title pseries/papr-hvpipe: Fix null ptr deref in papr_hvpipe_dev_create_handle()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-28T09:35:33.635Z

Reserved: 2026-05-13T15:03:33.098Z

Link: CVE-2026-46118

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T10:16:27.293

Modified: 2026-05-28T13:44:01.663

Link: CVE-2026-46118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T14:00:18Z

Weaknesses