CVE-2026-43471
Received Received - Intake
NULL Pointer Dereference in Linux Kernel UFS Core

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix possible NULL pointer dereference in ufshcd_add_command_trace() The kernel log indicates a crash in ufshcd_add_command_trace, due to a NULL pointer dereference when accessing hwq->id. This can happen if ufshcd_mcq_req_to_hwq() returns NULL. This patch adds a NULL check for hwq before accessing its id field to prevent a kernel crash. Kernel log excerpt: [<ffffffd5d192dc4c>] notify_die+0x4c/0x8c [<ffffffd5d1814e58>] __die+0x60/0xb0 [<ffffffd5d1814d64>] die+0x4c/0xe0 [<ffffffd5d181575c>] die_kernel_fault+0x74/0x88 [<ffffffd5d1864db4>] __do_kernel_fault+0x314/0x318 [<ffffffd5d2a3cdf8>] do_page_fault+0xa4/0x5f8 [<ffffffd5d2a3cd34>] do_translation_fault+0x34/0x54 [<ffffffd5d1864524>] do_mem_abort+0x50/0xa8 [<ffffffd5d2a297dc>] el1_abort+0x3c/0x64 [<ffffffd5d2a29718>] el1h_64_sync_handler+0x44/0xcc [<ffffffd5d181133c>] el1h_64_sync+0x80/0x88 [<ffffffd5d255c1dc>] ufshcd_add_command_trace+0x23c/0x320 [<ffffffd5d255bad8>] ufshcd_compl_one_cqe+0xa4/0x404 [<ffffffd5d2572968>] ufshcd_mcq_poll_cqe_lock+0xac/0x104 [<ffffffd5d11c7460>] ufs_mtk_mcq_intr+0x54/0x74 [ufs_mediatek_mod] [<ffffffd5d19ab92c>] __handle_irq_event_percpu+0xc8/0x348 [<ffffffd5d19abca8>] handle_irq_event+0x3c/0xa8 [<ffffffd5d19b1f0c>] handle_fasteoi_irq+0xf8/0x294 [<ffffffd5d19aa778>] generic_handle_domain_irq+0x54/0x80 [<ffffffd5d18102bc>] gic_handle_irq+0x1d4/0x330 [<ffffffd5d1838210>] call_on_irq_stack+0x44/0x68 [<ffffffd5d183af30>] do_interrupt_handler+0x78/0xd8 [<ffffffd5d2a29c00>] el1_interrupt+0x48/0xa8 [<ffffffd5d2a29ba8>] el1h_64_irq_handler+0x14/0x24 [<ffffffd5d18113c4>] el1h_64_irq+0x80/0x88 [<ffffffd5d2527fb4>] arch_local_irq_enable+0x4/0x1c [<ffffffd5d25282e4>] cpuidle_enter+0x34/0x54 [<ffffffd5d195a678>] do_idle+0x1dc/0x2f8 [<ffffffd5d195a7c4>] cpu_startup_entry+0x30/0x3c [<ffffffd5d18155c4>] secondary_start_kernel+0x134/0x1ac [<ffffffd5d18640bc>] __secondary_switched+0xc4/0xcc
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43471
EUVD
EUVD-2026-28777
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's SCSI UFS core component. It involves a possible NULL pointer dereference in the function ufshcd_add_command_trace(). Specifically, the kernel may crash when the code tries to access the id field of a hardware queue (hwq) pointer that can be NULL if the function ufshcd_mcq_req_to_hwq() returns NULL.

The issue is fixed by adding a NULL check before accessing the hwq id field, preventing the kernel from crashing due to this NULL pointer dereference.


How can this vulnerability impact me? :

This vulnerability can cause the Linux kernel to crash unexpectedly due to a NULL pointer dereference. Such crashes can lead to system instability, potential data loss, or denial of service as the kernel becomes unresponsive or restarts.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability manifests as a kernel crash due to a NULL pointer dereference in the ufshcd_add_command_trace() function. Detection involves monitoring the kernel logs for crash messages related to ufshcd_add_command_trace or NULL pointer dereferences involving hwq->id.

You can check your system logs for relevant kernel crash messages using commands such as:

  • dmesg | grep ufshcd_add_command_trace
  • journalctl -k | grep ufshcd_add_command_trace
  • grep -i 'NULL pointer dereference' /var/log/kern.log

These commands help identify if the kernel has logged crashes or faults related to this vulnerability.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by adding a NULL check in the kernel code to prevent the NULL pointer dereference. Immediate mitigation involves updating your Linux kernel to a version that includes this fix.

If updating the kernel is not immediately possible, monitoring for kernel crashes related to ufshcd_add_command_trace and avoiding workloads that trigger this code path may reduce the risk of system crashes.

Ultimately, applying the patch or upgrading to a patched kernel version is the recommended step to fully mitigate this issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart