Listen to this Post
The vulnerability resides in the `hp-bioscfg` driver, which is responsible for managing HP BIOS configuration settings via the Windows Management Instrumentation (WMI) interface. The core issue is a failure to validate the strings representing BIOS attribute names. When the HP BIOS firmware returns a configuration attribute with an empty name string, the driver’s `hp_init_bios_buffer_attribute()` function proceeds to use this empty string to register a kernel object (kobject). The kernel’s kobject subsystem strictly requires a non-empty name for registration. This violation triggers a specific warning message: “kobject: (…): attempted to be registered with empty name!” and a subsequent WARNING CPU backtrace from `kobject_add_internal()` at lib/kobject.c:219. While this does not lead to memory corruption or privilege escalation, it causes a Denial of Service (DoS) condition on the local system by flooding the kernel log with error messages and potentially disrupting the initialization of the hp-bioscfg module, preventing it from loading properly. The fix introduces a simple validation check to skip the registration of any attribute with an empty name, allowing the driver to load successfully and only ignore the malformed data from the BIOS .
DailyCVE Form:
Platform: Linux Kernel
Version: 6.6 to 6.19
Vulnerability: Input validation error
Severity: Medium (CVSS 5.5)
date: 2026-02-14
Prediction: Patched in stable updates
What Undercode Say:
Analytics:
This vulnerability is a classic example of improper input validation (CWE-20) leading to a system instability. The attack vector is local, requiring the attacker to have the ability to influence the data returned by the HP BIOS, which is a low-probability event in a standard environment . The CVSS v3 base score of 5.5 (Medium) reflects this, with a vector string of CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates a local attack, low attack complexity, low privileges required, no user interaction, and a high availability impact with no confidentiality or integrity impact . The exploitability score is relatively low due to the local prerequisite, but the impact is a guaranteed system warning and potential module failure. The fix was backported to multiple stable kernel trees, showing the maintainers’ prioritization of system stability .
Bash Commands & Code:
Check your current kernel version
uname -r
To view the specific warning in kernel logs if the system is vulnerable
dmesg | grep "kobject:.attempted to be registered with empty name"
dmesg | grep "WARNING: CPU:.kobject_add_internal"
To see if the hp-bioscfg module is loaded and throwing errors
lsmod | grep hp-bioscfg
dmesg | grep hp-bioscfg
The fix commit from the Linux kernel git tree
You can view the change online or fetch it
git show fdee1b09721605f532352628d0a24623e7062efb
Example of the patched code logic (Conceptual)
In drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
Function: hp_init_bios_buffer_attribute()
a/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
+++ b/drivers/platform/x86/hp/hp-bioscfg/bioscfg.c
@@ -XX,XX +XX,XX @@ static int hp_init_bios_buffer_attribute(struct kobject kobj, char name)
{
int ret;
+ if (!name || strlen(name) == 0) {
+ pr_debug("hp-bioscfg: Skipping attribute with empty name\n");
+ return 0;
+ }
+
ret = kobject_add(kobj, NULL, name);
if (ret)
pr_err("hp-bioscfg: Failed to add kobject %s\n", name);
How Exploit:
There is no public exploit available for this vulnerability, and exploitation is not considered trivial or likely . An attacker would need local access to the system. The exploitation scenario involves forcing the HP BIOS to provide a malformed configuration attribute with an empty name to the `hp-bioscfg` driver. This could potentially be achieved through a corrupted BIOS update or by exploiting a separate, more severe vulnerability in the system’s firmware interaction layer. Upon loading the driver, the kernel would parse this data, attempt to register the empty name, and trigger the warning, causing a flood of error messages and preventing the driver from functioning correctly.
Protection from this CVE:
Protection is achieved by updating the Linux kernel to a version containing the fix.
– Update to kernel version 6.6.122 or later.
– Update to kernel version 6.12.68 or later.
– Update to kernel version 6.18.8 or later.
– Update to any kernel version 6.19 or later .
Users should apply the latest stable kernel updates from their Linux distribution’s package manager (e.g., `apt update && apt upgrade` for Debian/Ubuntu, `yum update kernel` for RHEL/CentOS). There is no known workaround other than patching, as the issue is in the core driver logic .
Impact:
The primary impact is a local Denial of Service (DoS). When triggered, the kernel generates a continuous stream of warning messages, which can clutter system logs and potentially obscure other critical alerts. More significantly, the failure during the attribute registration process can cause the `hp-bioscfg` kernel module to fail its initialization. This means that legitimate HP BIOS configuration functionalities, such as managing BIOS settings from the OS, would become unavailable. The system remains operational, but a specific hardware management feature is disabled, and the integrity of the kernel’s object model is temporarily violated by the attempted invalid registration .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

