CVE-2026-23467
Received Received - Intake
NULL Pointer Dereference in Linux i915 DRM Causes Kernel Oops

Publication date: 2026-04-03

Last updated on: 2026-04-03

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: drm/i915/dmc: Fix an unlikely NULL pointer deference at probe intel_dmc_update_dc6_allowed_count() oopses when DMC hasn't been initialized, and dmc is thus NULL. That would be the case when the call path is intel_power_domains_init_hw() -> {skl,bxt,icl}_display_core_init() -> gen9_set_dc_state() -> intel_dmc_update_dc6_allowed_count(), as intel_power_domains_init_hw() is called *before* intel_dmc_init(). However, gen9_set_dc_state() calls intel_dmc_update_dc6_allowed_count() conditionally, depending on the current and target DC states. At probe, the target is disabled, but if DC6 is enabled, the function is called, and an oops follows. Apparently it's quite unlikely that DC6 is enabled at probe, as we haven't seen this failure mode before. It is also strange to have DC6 enabled at boot, since that would require the DMC firmware (loaded by BIOS); the BIOS loading the DMC firmware and the driver stopping / reprogramming the firmware is a poorly specified sequence and as such unlikely an intentional BIOS behaviour. It's more likely that BIOS is leaving an unintentionally enabled DC6 HW state behind (without actually loading the required DMC firmware for this). The tracking of the DC6 allowed counter only works if starting / stopping the counter depends on the _SW_ DC6 state vs. the current _HW_ DC6 state (since stopping the counter requires the DC5 counter captured when the counter was started). Thus, using the HW DC6 state is incorrect and it also leads to the above oops. Fix both issues by using the SW DC6 state for the tracking. This is v2 of the fix originally sent by Jani, updated based on the first Link: discussion below. (cherry picked from commit 2344b93af8eb5da5d496b4e0529d35f0f559eaf0)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-03
Last Modified
2026-04-03
Generated
2026-05-07
AI Q&A
2026-04-03
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23467
EUVD
EUVD-2026-18735
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a NULL pointer dereference in the Linux kernel's Intel graphics driver (drm/i915/dmc). It occurs when the function intel_dmc_update_dc6_allowed_count() is called before the DMC (Display Microcontroller) has been initialized, causing a NULL pointer to be dereferenced and leading to a kernel oops (crash).

The issue arises because intel_power_domains_init_hw() is called before intel_dmc_init(), but intel_dmc_update_dc6_allowed_count() can be called conditionally depending on the DC (Display Core) power states. If DC6 (a low power state) is enabled at probe time without the DMC firmware being loaded by the BIOS, the function is called with a NULL dmc pointer, causing the crash.

This situation is unlikely because enabling DC6 at boot without loading the DMC firmware is not typical BIOS behavior. The fix involves tracking the DC6 allowed counter using the software DC6 state rather than the hardware DC6 state to avoid the NULL pointer dereference.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash (kernel oops) during the initialization of the Intel graphics driver if the DC6 power state is enabled at probe time without proper DMC firmware initialization.

Such a crash can lead to system instability, unexpected reboots, or loss of data if the kernel becomes unresponsive or crashes during normal operation.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by a patch in the Linux kernel that corrects the handling of the DC6 state tracking in the Intel DRM i915 driver. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

Since the issue involves a NULL pointer dereference in the intel_dmc_update_dc6_allowed_count() function, which occurs when the DMC firmware is not properly initialized, ensuring your BIOS and firmware are up to date may also help prevent this condition.

In summary, the immediate mitigation steps are:

  • Update the Linux kernel to a version containing the fix for this vulnerability.
  • Verify that your system BIOS is updated and properly loads the DMC firmware.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

There is no information available in the provided context or resources about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart