CVE-2026-45877

Source
https://cve.org/CVERecord?id=CVE-2026-45877
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45877.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45877
Downstream
Published
2026-05-27T12:16:46.910Z
Modified
2026-06-27T11:55:22.267477927Z
Summary
HID: intel-ish-hid: fix NULL-ptr-deref in ishtp_bus_remove_all_clients
Details

In the Linux kernel, the following vulnerability has been resolved:

HID: intel-ish-hid: fix NULL-ptr-deref in ishtpbusremoveallclients

During a warm reset flow, the cl->device pointer may be NULL if the reset occurs while clients are still being enumerated. Accessing cl->device->reference_count without a NULL check leads to a kernel panic.

This issue was identified during multi-unit warm reboot stress clycles. Add a defensive NULL check for cl->device to ensure stability under such intensive testing conditions.

KASAN: null-ptr-deref in range [0000000000000000-0000000000000007] Workqueue: ishfwupdatewq fwresetworkfn

Call Trace: ishtpbusremoveallclients+0xbe/0x130 [intelishtp] ishtpresethandler+0x85/0x1a0 [intelishtp] fwresetworkfn+0x8a/0xc0 [intelish_ipc]

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45877.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
3703f53b99e4a7c373ce3568dd3f91f175ebb626
Fixed
0b605e8ce60698c27a26f512968a597fd620d2e8
Fixed
feb4bcfd405282de60aba321f13a1272b30c5af4
Fixed
272dac57caa981718e7188c80c703e7bb1998054
Fixed
56f7db581ee73af53cd512e00a6261a025bf1d58

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45877.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.9.0
Fixed
6.12.75
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.14
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
6.19.4

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45877.json"