Description
In the Linux kernel, the following vulnerability has been resolved:

fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal

CXL is linked before fwctl in drivers/Makefile. Both use `module_init, so
`cxl_pci_driver_init()` runs first. When `cxl_pci_probe()` calls
`fwctl_register()` and then `device_add()`, fwctl_class is not yet
registered because fwctl_init() hasn't run, causing `class_to_subsys()` to
return NULL and skip knode_class initialization.

On device removal, `class_to_subsys()` returns non-NULL, and
`device_del()` calls `klist_del()` on the uninitialized knode, triggering
a NULL pointer dereference.
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An ordering flaw in the Linux kernel's module initialization sequence causes a NULL pointer dereference when a CXL device is removed. The bug originates because the fwctl driver’s class registration has not yet taken place when device_add() is called, causing the kernel to attempt to free an uninitialized knode structure. The immediate consequence is a kernel crash, resulting in a denial of service. This vulnerability is local and affects systems that use the legacy CXL driver and allow dynamic device removal. It is categorized as CWE‑824 (Race condition).

Affected Systems

All Linux kernel distributions that include the legacy CXL driver before the patch that reordered the class initialization are affected. The bug exists in any kernel build that lacks the commit that ensures fwctl_class is registered before device_add is invoked, typically versions preceding the kernel commit identified in the advisory references. All machines that use CXL hardware and allow dynamic device removal are within scope.

Risk and Exploitability

An EPSS score of <1% indicates a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog, so the risk remains low in terms of publicly known exploits. The CVSS score is 5.5, indicating a moderate severity. However, the nature of the flaw dereference in a kernel driver places it at high impact if the flaw is triggered. An attacker who, even locally, could force a kernel crash. The lack of exploitation metrics suggests that the vulnerability is likely not widely announced yet, but the risk to any production environment that uses CXL devices remains significant.

Generated by OpenCVE AI on June 27, 2026 at 04:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the fix for the fwctl ordering bug, referring to the commits linked in the advisory references.
  • If immediate kernel upgrades are not feasible, disable or unload the CXL driver and avoid dynamic removal of CXL devices until the patch is applied.
  • Continuously monitor kernel logs for crashes or panic messages that may indicate the kernel was affected, and plan to remediate promptly if such events occur.

Generated by OpenCVE AI on June 27, 2026 at 04:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Sat, 27 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Wed, 24 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 24 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal CXL is linked before fwctl in drivers/Makefile. Both use `module_init, so `cxl_pci_driver_init()` runs first. When `cxl_pci_probe()` calls `fwctl_register()` and then `device_add()`, fwctl_class is not yet registered because fwctl_init() hasn't run, causing `class_to_subsys()` to return NULL and skip knode_class initialization. On device removal, `class_to_subsys()` returns non-NULL, and `device_del()` calls `klist_del()` on the uninitialized knode, triggering a NULL pointer dereference.
Title fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-24T16:29:48.273Z

Reserved: 2026-06-09T07:44:35.380Z

Link: CVE-2026-53042

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-24T00:00:00Z

Links: CVE-2026-53042 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T04:15:10Z

Weaknesses
  • CWE-824

    Access of Uninitialized Pointer