What is CVE-2026-46257?

CVE-2026-46257 is a unscored severity Linux kernel vulnerability, affecting Linux kernel versions from 6.19 onward and patched in 6.19.4 and 7.0. CVE-2026-46257 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

What is the CVSS score for CVE-2026-46257?

CVE-2026-46257 has a CVSS score of pending NVD analysis out of 10, rated awaiting scoring severity.

Is there a patch available for CVE-2026-46257?

Yes, CVE-2026-46257 has been patched. Fixed versions include 6.19.4 and 7.0. If you are running Linux kernel 6.19 or later up to the fix versions, apply the relevant patch for your kernel branch.

Is CVE-2026-46257 actively exploited?

CVE-2026-46257 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.

CVE-2026-46257

In the Linux kernel, the following vulnerability has been resolved: clocksource/drivers/timer-sp804: Fix an Oops when read_current_timer is called on ARM32 platforms where the SP804 is not registered as the sched_clock. On SP804, the delay timer shares the same clkevt instance with sched_clock. On some platforms, when sp804_clocksource_and_sched_clock_init is called with use_sched_clock not set to 1, sched_clkevt is not properly initialized. However, sp804_register_delay_timer is invoked unconditionally, and read_current_timer() subsequently calls sp804_read on an uninitialized sched_clkevt, leading to a kernel Oops when accessing sched_clkevt->value. Declare a dedicated clkevt instance exclusively for delay timer, instead of sharing the same clkevt with sched_clock. This ensures that read_current_timer continues to work correctly regardless of whether SP804 is selected as the sched_clock.

Package Linux Kernel

Published 2026-06-03

Last modified 2026-06-05

Patch available

Yes

Affected versions

Linux kernel versions 6.19 and later are affected. Fixed in 6.19.4, 7.0 and their respective stable series.

Affected from

≥ 6.19

Fixed in

✓ 6.19.4 6.19.x ✓ 7.0

References

The following references provide additional information about CVE-2026-46257 including vendor advisories, patch commits, exploit details, and third-party analysis. Links are sourced from the NIST NVD database.

Kernel patch commit
https://git.kernel.org/stable/c/693b0b594b0f278bafa784984129c0c0f988e352
Patch
Kernel patch commit
https://git.kernel.org/stable/c/694921a93f3e3621e067afc545cedf6fe3b234a9
Patch

Frequently asked questions

What is CVE-2026-46257?

CVE-2026-46257 is a unscored severity Linux kernel vulnerability . It affects Linux kernel versions from 6.19 onward and has been patched in 6.19.4 and 7.0. CVE-2026-46257 has not been confirmed as actively exploited and is not listed in the CISA KEV catalog.
Is there a patch available for CVE-2026-46257?

Yes — CVE-2026-46257 has been patched. Fixed versions include 6.19.4 and 7.0. If you are running Linux kernel 6.19 or later up to the fix versions, apply the relevant patch for your kernel branch.
Is CVE-2026-46257 actively exploited?

No — CVE-2026-46257 has not been confirmed as actively exploited. It is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.