Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local attack via fastrpc device node requires low-privilege access; pure availability crash with no confidentiality or integrity impact, consistent with DSP DMA corruption.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: fix DMA address corruption due to find_vma misuse
fastrpc_get_args() uses find_vma() to look up the VMA for a user-provided pointer and compute a DMA address offset. When the address falls in a gap before the returned VMA, (ptr & PAGE_MASK) - vma->vm_start underflows, corrupting the DMA address sent to the DSP.
Replace find_vma() with vma_lookup(), which returns NULL when the address is not contained within any VMA.
AnalysisAI
Integer underflow in the Linux kernel fastrpc misc driver corrupts DMA addresses sent to Qualcomm DSPs, enabling a local low-privileged user to crash the DSP subsystem or induce a kernel panic. The flaw in fastrpc_get_args() affects all major stable kernel branches from 5.15 through 7.1-rc3 and is patched across multiple stable series. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a Linux system running on hardware with a Qualcomm FastRPC-capable DSP (e.g., Snapdragon SoC), making this inapplicable to x86, non-Qualcomm ARM, or generic embedded platforms; (2) the fastrpc kernel module loaded and a corresponding device node (e.g., /dev/adsprpc-smd) accessible to the attacker's process; (3) a local user-level account with read/write access to that device node - PR:L per CVSS confirms no elevated privilege is needed beyond what is necessary to reach the interface. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (score 5.5 Medium) accurately reflects the risk profile: local access with low privileges is required, the attack is straightforward in terms of complexity, and the sole impact is availability - a corrupted DMA address can crash the DSP subsystem or trigger a kernel panic, but does not expose data or allow code execution with elevated privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local process on a Qualcomm Snapdragon Android device or embedded Linux system with the fastrpc driver loaded opens the fastrpc device node and issues an IOCTL that internally calls fastrpc_get_args() with a crafted user-space pointer deliberately targeting a gap between valid VMAs. The underflowing DMA offset calculation passes a massively out-of-range address to the DSP, causing the DSP firmware to fault or the kernel DMA subsystem to panic, resulting in a device hang or reboot. … |
| Remediation | Upgrade to a patched kernel stable release: 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39250
GHSA-3439-cqxh-wp94