CVE-2026-46250
Analyzed Analyzed - Analysis Complete
Kernel Relocation Failure in Linux due to LLVM GP Register Handling

Publication date: 2026-06-03

Last updated on: 2026-06-09

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1], which requires a callee-saved register used as global register variable not to be restored if it's clobbered. As a result, $gp will continue to point to the unrelocated kernel after the epilog of relocate_kernel(), leading to an early crash in init_idle, [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY [ 0.000000] Tainted: [W]=WARN [ 0.000000] Hardware name: loongson,loongson64v-4core-virtio [ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 [ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240 [ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001 [ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002 [ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80 [ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80 [ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90 [ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90 [ 0.000000] Hi : 0000000000000000 [ 0.000000] Lo : 0000000000000000 [ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270 [ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270 [ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL [ 0.000000] Cause : 00000008 (ExcCode 02) [ 0.000000] BadVA : 0000000000000000 [ 0.000000] PrId : 00006305 (ICT Loongson-3) [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) [ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528 [ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000 [ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258 [ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98 [ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270 [ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0 [ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8 This bug has been reported to LLVM[2] and affects version from (at least) 18 to 21. Let's work around this by using inline assembly to assign $gp before a fix is widely available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-09
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-46250
EUVD
EUVD-2026-34112
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.14 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.4 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.128 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.75 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.202 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.165 (exc)
linux linux_kernel From 4.7 (inc) to 5.10.252 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Linux kernel on MIPS architecture due to a bug in LLVM compiler versions 18 to 21. The issue arises because the global pointer register ($gp), used as a global register variable for __current_thread_info, is restored incorrectly by LLVM after kernel relocation. LLVM restores $gp even when it is intentionally clobbered, which contradicts GCC's behavior and documentation. As a result, $gp points to the unrelocated kernel, causing an early crash during kernel initialization (init_idle).

Impact Analysis

This vulnerability can cause the Linux kernel to crash early during system startup on affected MIPS systems using LLVM versions 18 to 21. The crash occurs because the global pointer register points to an incorrect memory location, leading to kernel paging errors and system instability. This can result in denial of service as the system fails to boot properly.

Detection Guidance

This vulnerability manifests as an early crash in the Linux kernel on MIPS architectures using LLVM, with kernel paging request errors and specific oops messages during system initialization.

To detect this issue, monitor your system logs (e.g., dmesg or /var/log/kern.log) for kernel oops messages similar to the following:

  • CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000
  • Oops[#1]: CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W
  • epc : ffffffff81afada8 init_idle+0x130/0x270

Suggested commands to check for these logs include:

  • dmesg | grep -i 'Unable to handle kernel paging request'
  • journalctl -k | grep -i 'Oops'
  • cat /var/log/kern.log | grep -i 'init_idle'

These commands help identify if the kernel is crashing due to this specific issue related to the $gp register being restored incorrectly by LLVM.

Mitigation Strategies

The vulnerability is caused by LLVM restoring the $gp register incorrectly on MIPS architectures, leading to kernel crashes.

Immediate mitigation involves applying the patch that works around the LLVM bug by using inline assembly to assign the $gp register before a fix is widely available.

If you are maintaining your own kernel build, update to the fixed Linux kernel version that includes this workaround.

Alternatively, avoid using affected LLVM versions (from at least 18 to 21) for building the kernel on MIPS until the issue is resolved.

Monitor for updates from LLVM and your Linux distribution for official patches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46250. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart