CVE-2026-31744

EUVD-2026-26557
In the Linux kernel, the following vulnerability has been resolved:

PM: EM: Fix NULL pointer dereference when perf domain ID is not found

dev_energymodel_nl_get_perf_domains_doit() calls
em_perf_domain_get_by_id() but does not check the return value before
passing it to __em_nl_get_pd_size(). When a caller supplies a
non-existent perf domain ID, em_perf_domain_get_by_id() returns NULL,
and __em_nl_get_pd_size() immediately dereferences pd->cpus
(struct offset 0x30), causing a NULL pointer dereference.

The sister handler dev_energymodel_nl_get_perf_table_doit() already
handles this correctly via __em_nl_get_pd_table_id(), which returns
NULL and causes the caller to return -EINVAL. Add the same NULL check
in the get-perf-domains do handler.

[ rjw: Subject and changelog edits ]
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.164-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-3
fixed
forky
6.19.14-1
fixed
sid
7.0.3-1
fixed
trixie
6.12.73-1
fixed
trixie (security)
6.12.85-1
fixed
References
https://git.kernel.org/stable/c/9badc2a84e688be1275bb740942d5f6f51746908
https://git.kernel.org/stable/c/ab09b9a1e3b02ff62c5aebe3b12b0cb4cb4ea8ab