In the Linux kernel, the following vulnerability has been resolved:
fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal
CXL is linked before fwctl in drivers/Makefile. Both use `module_init, so
`cxl_pci_driver_init()` runs first. When `cxl_pci_probe()` calls
`fwctl_register()` and then `device_add()`, fwctl_class is not yet
registered because fwctl_init() hasn't run, causing `class_to_subsys()` to
return NULL and skip knode_class initialization.
On device removal, `class_to_subsys()` returns non-NULL, and
`device_del()` calls `klist_del()` on the uninitialized knode, triggering
a NULL pointer dereference.
CVSS
No CVSS.
References
Configurations
No configuration.
History
24 Jun 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 17:17
Updated : 2026-06-24 17:17
NVD link : CVE-2026-53042
Mitre link : CVE-2026-53042
CVE.ORG link : CVE-2026-53042
JSON object : View
Products Affected
No product.
CWE
No CWE.
