CVE-2026-43401
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in Linux Kernel cpufreq Intel Pstate

Publication date: 2026-05-08

Last updated on: 2026-05-21

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request() The update_cpu_qos_request() function attempts to initialize the 'freq' variable by dereferencing 'cpudata' before verifying if the 'policy' is valid. This issue occurs on systems booted with the "nosmt" parameter, where all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result, any call to update_qos_requests() will result in a NULL pointer dereference as the code will attempt to access pstate.turbo_freq using the NULL cpudata pointer. Also, pstate.turbo_freq may be updated by intel_pstate_get_hwp_cap() after initializing the 'freq' variable, so it is better to defer the 'freq' until intel_pstate_get_hwp_cap() has been called. Fix this by deferring the 'freq' assignment until after the policy and driver_data have been validated. [ rjw: Added one paragraph to the changelog ]
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-21
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43401
EUVD
EUVD-2026-28707
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.0
linux linux_kernel From 6.19 (inc) to 6.19.9 (exc)
linux linux_kernel From 6.18 (inc) to 6.18.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's intel_pstate driver, specifically in the update_cpu_qos_request() function. The function attempts to initialize a variable by dereferencing a pointer without first verifying if the pointer is valid. On systems booted with the "nosmt" parameter, some CPU data pointers are NULL for SMT sibling threads. As a result, when update_qos_requests() is called, it tries to access data through a NULL pointer, causing a NULL pointer dereference error.

The issue arises because the code accesses the 'freq' variable too early before confirming the validity of the policy and driver data. The fix involves deferring the assignment of 'freq' until after these validations, preventing the NULL pointer dereference.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel, which typically leads to a kernel crash or system instability. On affected systems, this could result in unexpected reboots or denial of service conditions, impacting system availability.

Mitigation Strategies

The vulnerability is fixed by deferring the 'freq' assignment until after the policy and driver_data have been validated in the intel_pstate driver within the Linux kernel.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Additionally, avoid booting systems with the 'nosmt' parameter until the fix is applied, as the issue occurs on systems booted with this parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart