Listen to this Post
The vulnerability resides in the `classmate-laptop` driver for x86 platforms. Due to improper initialization ordering, sysfs attributes related to the accelerometer (v4 model) are registered before the driver’s private data pointers are stored using `dev_set_drvdata` . If a user or process reads or writes to these sysfs files (e.g., cmpc_accel_sensitivity_store_v4) during this narrow window, the `dev_get_drvdata` function returns NULL. The code then dereferences this NULL pointer without validation, leading to a kernel crash (oops) and a denial of service . This affects both attributes that rely on the input device’s driver data and those relying on the ACPI device’s driver data before `cmpc_add_acpi_notify_device` completes .
Platform: Linux Kernel
Version: < 6.18.13 / 6.19-rc1
Vulnerability : NULL pointer dereference
Severity: Medium (CVSS:5.5)
date: 2026-03-04
Prediction: Patched in mainline (6.19)
What Undercode Say:
Analytics
The issue is a classic local denial-of-service vulnerability affecting a niche hardware driver. Analysis shows a low attack complexity, requiring local access and precise timing. The fix is simple but crucial for stability on affected Classmate hardware . The mainline kernel was patched via commit `fe747d711228` on January 26, 2026, and backports are being integrated into stable and long-term support (LTS) kernel trees . The primary impact is system availability.
Exploit:
A proof-of-concept for this bug relies on a race condition. An exploit would need to repeatedly read the vulnerable sysfs entry immediately after the module is loaded, hoping to land in the window before `dev_set_drvdata` is called.
Example of repeatedly trying to trigger the bug by reading the sysfs attribute while true; do Replace with the actual path to the sysfs file on a vulnerable system cat /sys/devices/platform/classmate-laptop/.../sensitivity 2>/dev/null done & Meanwhile, trigger the module load sudo modprobe classmate-laptop
Protection from this CVE
The primary protection is to update the Linux kernel to a patched version (e.g., 6.18.13, 6.19, or a distribution backport) . As a workaround, the vulnerable module can be blacklisted if the accelerometer functionality is not required .
Workaround: Blacklist the module to prevent it from loading sudo bash -c 'echo "blacklist classmate-laptop" >> /etc/modprobe.d/blacklist.conf' sudo update-initramfs -u Verify the module is not loaded lsmod | grep classmate
The kernel patch itself adds defensive NULL pointer checks, preventing the dereference .
// Example of the fix applied to cmpc_accel_sensitivity_show_v4
static ssize_t cmpc_accel_sensitivity_show_v4(struct device dev,
struct device_attribute attr, char buf)
{
struct acpi_device acpi;
struct input_dev inputdev;
struct cmpc_accel accel;
acpi = to_acpi_device(dev);
inputdev = dev_get_drvdata(&acpi->dev);
if (!inputdev)
return -ENXIO;
accel = dev_get_drvdata(&inputdev->dev);
if (!accel)
return -ENXIO;
return sprintf(buf, "%d\n", accel->sensitivity);
}
Impact
Successful exploitation leads to a kernel NULL pointer dereference, causing a system crash (Oops) and resulting in a local denial of service . There is no evidence to suggest this vulnerability can lead to privilege escalation or remote code execution . The impact is confined to systems that actually use the specific `classmate-laptop` hardware and have the driver loaded .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

