Skip to main content

Linux Kernel CVE-2026-53158

| EUVDEUVD-2026-39249 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j24m-w36c-325g
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local vector because the fastrpc driver and DSP hardware must be physically present; PR:L because the crash path is triggered by kernel-level DSP messaging, not arbitrary unprivileged action; A:H for kernel panic; no C or I impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 07, 2026 - 19:07 vuln.today
CVSS changed
Jul 07, 2026 - 18:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]

The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock.

There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.

AnalysisAI

NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Boot on Qualcomm SoC hardware
Delivery
DSP sends glink message during probe window
Exploit
fastrpc_rpmsg_callback fires with NULL cctx
Execution
spinlock acquired on NULL pointer at 0x178
Persist
kernel NULL pointer dereference panic
Impact
system crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) the target system must use a Qualcomm SoC with a DSP subsystem communicating over GLINK SMEM transport (e.g., Snapdragon platforms); (2) the Linux kernel must be built with the fastrpc driver (CONFIG_QCOM_FASTRPC) loaded or compiled in; (3) the race window must be hit - the DSP must send a glink message during the fastrpc_rpmsg_probe() initialization window, which occurs naturally on affected hardware at boot. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low-to-moderate and very narrowly scoped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a Qualcomm SoC-based Linux system (e.g., an Android device, automotive platform, or embedded board), the DSP hardware sends a GLINK initialization message during boot before the fastrpc_rpmsg_probe() routine has finished setting driver data. The kernel's fastrpc_rpmsg_callback() fires, calls dev_get_drvdata() which returns NULL, then attempts to acquire a spinlock at offset 0x178 of the NULL pointer, triggering a kernel NULL pointer dereference and system panic. …
Remediation The primary fix is upgrading to a patched Linux kernel stable release: 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy