CVE-2026-43356

#include <stdio.h> #include <stdlib.h> // Conceptual PoC demonstrating the vulnerability logic struct adis_ops { int (*write)(void); int (*read)(void); }; struct adis { struct adis_ops *ops; }; // Simulating the vulnerable function in the kernel void vulnerable_adis_init(struct adis *adis) { // Vulnerability: Dereferencing adis->ops without checking if it is NULL if (adis->ops->write == NULL || adis->ops->read == NULL) { printf("Assigning default ops...\n"); } } int main() { // Simulating zero-initialized allocation (devm_iio_device_alloc) struct adis *my_adis = (struct adis *)calloc(1, sizeof(struct adis)); // ops is NULL here (0x0) printf("Triggering NULL pointer dereference...\n"); // This will crash (Segfault) mimicking the Kernel Panic/Oops vulnerable_adis_init(my_adis); free(my_adis); return 0; }

{"cve": {"id": "CVE-2026-43356", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T15:16:46.367", "lastModified": "2026-05-15T16:02:39.450", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: imu: adis: Fix NULL pointer dereference in adis_init\n\nThe adis_init() function dereferences adis->ops to check if the\nindividual function pointers (write, read, reset) are NULL, but does\nnot first check if adis->ops itself is NULL.\n\nDrivers like adis16480, adis16490, adis16545 and others do not set\ncustom ops and rely on adis_init() assigning the defaults. Since struct\nadis is zero-initialized by devm_iio_device_alloc(), adis->ops is NULL\nwhen adis_init() is called, causing a NULL pointer dereference:\n\n Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n pc : adis_init+0xc0/0x118\n Call trace:\n adis_init+0xc0/0x118\n adis16480_probe+0xe0/0x670\n\nFix this by checking if adis->ops is NULL before dereferencing it,\nfalling through to assign the default ops in that case."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.19", "matchCriteriaId": "D6461E17-9936-4679-8F97-568871A6FBE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.9", "matchCriteriaId": "E825E7C3-FEAC-4FD3-8A81-78D7387948C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "F253B622-8837-4245-BCE5-A7BF8FC76A16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "4AE85AD8-4641-4E7C-A2F4-305E2CD9EE64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F666C8D8-6538-46D4-B318-87610DE64C34"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1a48f94c63a078e7b6a2e59a637fc0858dc6510c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/9990cd4f8827bd1ae3fb6eb7407630d8d463c430", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ba19dd366528b961430f5195c2e382420703074f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}