CVE-2026-46284
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile - higher than 2% of all known CVEs
Summary
In the Linux kernel, a vulnerability causes a system crash during early boot when kernel command-line parameters (hugepages, hugepagesz, default_hugepagesz) are specified without the '=' separator. The hugetlb_add_param() function calls strlen() on a NULL value, leading to a pointer dereference and crash.
Risk Assessment
The risk involves intentional or accidental system crash during boot by providing malformed kernel command-line parameters, potentially preventing system startup and requiring administrator intervention.
Recommendation
Immediately update the Linux kernel to a version containing the fix that rejects NULL values in hugetlb_add_param() and returns -EINVAL instead of causing a crash.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix early boot crash on parameters without '=' separator If hugepages, hugepagesz, or default_hugepagesz are specified on the kernel command line without the '=' separator, early parameter parsing passes NULL to hugetlb_add_param(), which dereferences it in strlen() and can crash the system during early boot. Reject NULL values in hugetlb_add_param() and return -EINVAL instead.

