CVE-2026-45874
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk5th percentile - higher than 5% of all known CVEs
Summary
In the Linux kernel PHY driver for i.MX8QM HSIO, a NULL pointer dereference vulnerability was found. During probe, the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the device tree. The function imx_hsio_configure_clk_pad() uses this pointer unconditionally, which could lead to a system crash.
Risk Assessment
The risk is a potential system crash (kernel panic) during boot on i.MX8QM platforms when the hardware configuration lacks the appropriate device tree entry. This could prevent normal system operation.
Recommendation
Update the Linux kernel to a version containing the fix that adds a pointer check before use in the imx_hsio_configure_clk_pad() function.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: phy: freescale: imx8qm-hsio: fix NULL pointer dereference During the probe the refclk_pad pointer is set to NULL if the 'fsl,refclk-pad-mode' property is not defined in the devicetree node. But in imx_hsio_configure_clk_pad() this pointer is unconditionally used which could result in a NULL pointer dereference. So check the pointer before to use it.

