Description
In the Linux kernel, the following vulnerability has been resolved:

arm_mpam: Check whether the config array is allocated before destroying it

__destroy_component_cfg() is called to free the configuration array.
It uses the embedded 'garbage' structure, which means the array has
to be allocated.

If __destroy_component_cfg() is called from mpam_disable() before the
configuration was ever allocated, then a NULL pointer is dereferenced.

Check for this case and return early if the configuration is not
allocated.

__destroy_component_cfg() also frees the mbwu_state as this is allocated
by __allocate_component_cfg(). As the mbwu_state is allocated after
comp->cfg is set, and is also under mpam_list_lock, only the first
pointer needs checking.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the arm_mpam subsystem of the Linux kernel, where __destroy_component_cfg frees a configuration array without first verifying that it was allocated. If this function is called before allocation, a NULL pointer dereference triggers a kernel crash, effectively taking the host offline. This is a classic null‑pointer dereference flaw.

Affected Systems

All Linux kernel builds that include the arm_mpam driver are potentially impacted, such as arm64 and other ARM architectures that ship with unpatched kernels. This vulnerability affects a wide range of Linux distributions that have not applied the latest kernel update.

Risk and Exploitability

The bug could be triggered if an attacker with local or root privileges activates mpam_disable to force the crash. The CVSS score of 5.5 indicates moderate severity, while the EPSS score is <1%, indicating a low likelihood of exploitation. No public exploits are catalogued, and the CVE is not listed in the CISA KEV catalog, suggesting no current known active exploitation.

Generated by OpenCVE AI on June 29, 2026 at 13:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Linux kernel to a version that includes the null-pointer check for the __destroy_component_cfg function.
  • If updating is delayed, disable or remove the arm_mpam module to avoid exercising the vulnerable code path.
  • Monitor kernel logs for unexpected crashes related to MPAM and apply the patch as soon as possible.

Generated by OpenCVE AI on June 29, 2026 at 13:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-909
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: arm_mpam: Check whether the config array is allocated before destroying it __destroy_component_cfg() is called to free the configuration array. It uses the embedded 'garbage' structure, which means the array has to be allocated. If __destroy_component_cfg() is called from mpam_disable() before the configuration was ever allocated, then a NULL pointer is dereferenced. Check for this case and return early if the configuration is not allocated. __destroy_component_cfg() also frees the mbwu_state as this is allocated by __allocate_component_cfg(). As the mbwu_state is allocated after comp->cfg is set, and is also under mpam_list_lock, only the first pointer needs checking.
Title arm_mpam: Check whether the config array is allocated before destroying it
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:40:40.694Z

Reserved: 2026-06-09T07:44:35.395Z

Link: CVE-2026-53278

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:00:05Z

Weaknesses
  • CWE-909

    Missing Initialization of Resource