Bug 2482144 (CVE-2026-45877) - CVE-2026-45877 kernel: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients
Summary: CVE-2026-45877 kernel: HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_re...
Keywords:
Status: NEW
Alias: CVE-2026-45877
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-27 15:13 UTC by OSIDB Bzimport
Modified: 2026-05-28 03:30 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-27 15:13:27 UTC 
In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients

During a warm reset flow, the cl->device pointer may be NULL if the
reset occurs while clients are still being enumerated. Accessing
cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles.
Add a defensive NULL check for cl->device to ensure stability under
such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007]
Workqueue: ish_fw_update_wq fw_reset_work_fn

Call Trace:
 ishtp_bus_remove_all_clients+0xbe/0x130 [intel_ishtp]
 ishtp_reset_handler+0x85/0x1a0 [intel_ishtp]
 fw_reset_work_fn+0x8a/0xc0 [intel_ish_ipc]
Comment 1 Keith Grant 2026-05-28 03:28:13 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026052714-CVE-2026-45877-f416@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.