CVE Catalog

CVE-2026-46284

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.12%

2th percentile - higher than 2% of all known CVEs

Summary

In the Linux kernel, a vulnerability causes a system crash during early boot when kernel command-line parameters (hugepages, hugepagesz, default_hugepagesz) are specified without the '=' separator. The hugetlb_add_param() function calls strlen() on a NULL value, leading to a pointer dereference and crash.

Risk Assessment

The risk involves intentional or accidental system crash during boot by providing malformed kernel command-line parameters, potentially preventing system startup and requiring administrator intervention.

Recommendation

Immediately update the Linux kernel to a version containing the fix that rejects NULL values in hugetlb_add_param() and returns -EINVAL instead of causing a crash.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix early boot crash on parameters without '=' separator If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. Reject NULL values in hugetlb_add_param() and return -EINVAL instead.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS