CVE-2026-53042

In the Linux kernel, the following vulnerability has been resolved:

fwctl: Fix class init ordering to avoid NULL pointer dereference on device removal

CXL is linked before fwctl in drivers/Makefile. Both use module init, so cxl pci driver init()runs first. Whencxl pci probe()callsfwctl register()and thendevice add(), fwctl class is not yet registered because fwctl init() hasn't run, causing class to subsys()` to return NULL and skip knode class initialization.

On device removal, class to subsys() returns non-NULL, and device del() calls klist del() on the uninitialized knode, triggering a NULL pointer dereference.