CVE-2026-23332
Null Pointer Dereference in Linux intel_pstate Causes Kernel Crash
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | 6.16 |
| linux | linux_kernel | From 6.19 (inc) to 6.19.7 (exc) |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | 7.0 |
| linux | linux_kernel | From 6.16.1 (inc) to 6.18.17 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's intel_pstate CPU frequency scaling driver. When the system is booted with certain kernel parameters that limit the number of CPUs (such as "nosmt" or "maxcpus"), disabling the turbo feature by writing to /sys/devices/system/cpu/intel_pstate/no_turbo causes a kernel crash.
The crash happens because the code iterates over all possible CPUs, including those that are not online, and attempts to access data structures (all_cpu_data[]) that are NULL for offline CPUs. This leads to a NULL pointer dereference and a kernel oops (crash).
The fix involves modifying the code to only access all_cpu_data[] for CPUs that have a valid cpufreq policy, preventing the NULL pointer dereference.
How can this vulnerability impact me? :
This vulnerability can cause the Linux kernel to crash when disabling the turbo feature on systems booted with CPU-limiting parameters. A kernel crash can lead to system instability, unexpected reboots, and potential data loss.
Such crashes can disrupt normal operations, reduce system availability, and may require manual intervention to restore service.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by observing system crashes or kernel oops messages when disabling turbo mode on Intel CPUs using the intel_pstate driver, especially if the system is booted with the "nosmt" or "maxcpus" kernel command line arguments.
Specifically, running the command to disable turbo mode:
- echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
may cause a crash with messages similar to:
- PF: supervisor read access in kernel mode
- Oops: Oops: 0000 [#1] SMP PTI
- RIP: 0010:store_no_turbo+0x100/0x1f0
Monitoring kernel logs (e.g., using dmesg or journalctl) after executing the above command can help detect the presence of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid disabling turbo mode via the sysfs interface when the system is booted with "nosmt" or "maxcpus" kernel parameters that limit the number of CPUs.
Alternatively, update the Linux kernel to a version where this issue is fixed, which involves a patch that ensures only online CPUs with valid cpufreq policies are accessed when disabling turbo mode.
Until the fix is applied, refrain from using the command:
- echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
if the system is booted with CPU limiting parameters.