CVE-2026-46250: MIPS: Work around LLVM bug when gp is used as global register variable
In the Linux kernel, the following vulnerability has been resolved: MIPS: Work around LLVM bug when gp is used as global register variable On MIPS, __current_thread_info is defined as global register variable locating in $gp, and is simply assigned with new address during kernel relocation. This however is broken with LLVM, which always restores $gp if it finds $gp is clobbered in any form, including when intentionally through a global register variable. This is against GCC's documentation[1], which requires a callee-saved register used as global register variable not to be restored if it's clobbered. As a result, $gp will continue to point to the unrelocated kernel after the epilog of relocate_kernel(), leading to an early crash in init_idle, [ 0.000000] CPU 0 Unable to handle kernel paging request at virtual address 0000000000000000, epc == ffffffff81afada8, ra == ffffffff81afad90 [ 0.000000] Oops[#1]: [ 0.000000] CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 6.19.0-rc5-00262-gd3eeb99bbc99-dirty #188 VOLUNTARY [ 0.000000] Tainted: [W]=WARN [ 0.000000] Hardware name: loongson,loongson64v-4core-virtio [ 0.000000] $ 0 : 0000000000000000 0000000000000000 0000000000000001 0000000000000000 [ 0.000000] $ 4 : ffffffff80b80ec0 ffffffff80b53d48 0000000000000000 00000000000f4240 [ 0.000000] $ 8 : 0000000000000100 ffffffff81d82f80 ffffffff81d82f80 0000000000000001 [ 0.000000] $12 : 0000000000000000 ffffffff81776f58 00000000000005da 0000000000000002 [ 0.000000] $16 : ffffffff80b80e40 0000000000000000 ffffffff80b81614 9800000005dfbe80 [ 0.000000] $20 : 00000000540000e0 ffffffff81980000 0000000000000000 ffffffff80f81c80 [ 0.000000] $24 : 0000000000000a26 ffffffff8114fb90 [ 0.000000] $28 : ffffffff80b50000 ffffffff80b53d40 0000000000000000 ffffffff81afad90 [ 0.000000] Hi : 0000000000000000 [ 0.000000] Lo : 0000000000000000 [ 0.000000] epc : ffffffff81afada8 init_idle+0x130/0x270 [ 0.000000] ra : ffffffff81afad90 init_idle+0x118/0x270 [ 0.000000] Status: 540000e2 KX SX UX KERNEL EXL [ 0.000000] Cause : 00000008 (ExcCode 02) [ 0.000000] BadVA : 0000000000000000 [ 0.000000] PrId : 00006305 (ICT Loongson-3) [ 0.000000] Process swapper (pid: 0, threadinfo=(____ptrval____), task=(____ptrval____), tls=0000000000000000) [ 0.000000] Stack : 9800000005dfbf00 ffffffff8178e950 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81970000 000000000000003f ffffffff810a6528 [ 0.000000] 0000000000000001 9800000005dfbe80 9800000005dfbf00 ffffffff81980000 [ 0.000000] ffffffff810a6450 ffffffff81afb6c0 0000000000000000 ffffffff810a2258 [ 0.000000] ffffffff81d82ec8 ffffffff8198d010 ffffffff81b67e80 ffffffff8197dd98 [ 0.000000] ffffffff81d81c80 ffffffff81930000 0000000000000040 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 000000000000009e ffffffff9fc01000 0000000000000000 [ 0.000000] 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 0.000000] 0000000000000000 ffffffff81ae86dc ffffffff81b3c741 0000000000000002 [ 0.000000] ... [ 0.000000] Call Trace: [ 0.000000] [<ffffffff81afada8>] init_idle+0x130/0x270 [ 0.000000] [<ffffffff81afb6c0>] sched_init+0x5c8/0x6c0 [ 0.000000] [<ffffffff81ae86dc>] start_kernel+0x27c/0x7a8 This bug has been reported to LLVM[2] and affects version from (at least) 18 to 21. Let's work around this by using inline assembly to assign $gp before a fix is widely available.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 05bff9b0ae095b2420cfebb4a96759a09334bec6
- Affected Products
- 2
HarborGuard Analysis
Synopsis
A kernel crash vulnerability exists in the Linux kernel's MIPS architecture code, triggered when the kernel is compiled with LLVM instead of GCC. An LLVM compiler bug causes the global pointer register ($gp) to be incorrectly restored after kernel relocation, leaving it pointing at the pre-relocation kernel address. Any process or thread running on an affected MIPS system after relocation can trigger a null-pointer dereference or kernel paging fault at boot, crashing the system before userspace starts. A patched-image rebuild at the fix commits (including stable branch 5.10.252) is available on HarborGuard for environments running affected kernel versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream kernel and NVD feeds within minutes of publication and matched against customer images, including custom-built images that carry a vulnerable Linux kernel version. Images compiled with LLVM targeting MIPS are flagged directly within the pipeline scan results.
AvailableHarborGuard scores this CVE at CVSS 7.3 (HIGH) and surfaces it with per-environment compliance policy weighting so teams with strict availability SLAs see it prioritized appropriately. Findings are routed to the team inbox or ticketing integration configured for each customer organization.
AvailableA patched-image rebuild pinned to the fix commits (including Linux stable 5.10.252) is available on HarborGuard for any environment running an affected kernel version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs the configured regression suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the vulnerable component is required.
- AuthenticationNot required
No credentials or account privileges are required to trigger the vulnerable code path on an affected boot.
- Victim interactionNot required
No user or administrator action beyond running a kernel built with the affected LLVM toolchain on MIPS hardware is needed.
- Attack complexityDetail
Exploitation is reliable and condition-free once the LLVM-compiled kernel undergoes relocation; no race conditions or memory-layout dependencies are involved.
Blast Radius
- The kernel crashes at early boot (during init_idle) with a null-pointer dereference, making the system completely unavailable.
- Any workloads scheduled on the affected node are terminated before they can start, causing a full denial of service for that node.
- Kernel memory at the unrelocated address range is referenced incorrectly, which may expose kernel state readable through crash dump artifacts if dump-on-panic is configured.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-46250 is active for every image scan that includes a Linux kernel targeting MIPS compiled with LLVM. The fix is available in upstream commits (05bff9b0, 1fe3b402, 4dc65b40, 30bfc2d6) and in stable branch 5.10.252. Where compliance policy permits, HarborGuard can rebuild affected images at the patched version, run the configured regression suite, and open a pull request against affected workloads; for environments with auto-remediation enabled, median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. For environments that cannot immediately update the kernel, consider isolating MIPS nodes from production scheduling and reviewing toolchain configurations to confirm whether LLVM is in use for kernel builds.
Fix available
- Linux / Linux< 05bff9b0ae095b2420cfebb4a96759a09334bec6 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 1fe3b402b1e97a1718df3be0a1d3eee20133e735 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 4dc65b40fb80c2020efbf139b9a38d30f9a37b92 (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < c0155dee51b9f5f48aaf5c71cae005eb0e36521f (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < e3a6498a63394218561065a9a7a597a204f52f6a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2) · < 561834f6d6f52b8a1791331e94b2aac753491d2a (from 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2)
- Linux / LinuxFixed in 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.14, 6.19.4, 7.0
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H