Skip to main content

Linux Kernel CVE-2026-53204

| EUVDEUVD-2026-39295 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-7vgh-484p-pv5r
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local driver bug requiring low-privilege access on specific FPGA hardware; pure availability impact via kernel panic, no C/I impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 02, 2026 - 23:16 vuln.today
CVSS changed
Jul 02, 2026 - 21:07 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe

rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is still pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared.

While at it, clean up stratix10_rsu_probe() in two ways without changing behavior:

  • Drop redundant zero-initialization of fields already cleared by

devm_kzalloc(): client.receive_cb, status.* and spt0/1_address (INVALID_SPT_ADDRESS is 0x0).

  • Replace five identical 3-line error-cleanup blocks

(stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + return ret) with goto labels (remove_async_client, free_channel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup.

Also move init_completion() next to mutex_init() so sync-primitive initialization is grouped before anything that could trigger a callback.

--- v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a centralize exit for all the rsu_send_async_msg() and rsu_send_msg().

AnalysisAI

NULL pointer dereference in the Linux kernel's Intel Stratix10 RSU (Remote System Update) firmware driver causes a kernel panic when SMC call timeouts occur during probe initialization. Affected kernels through 7.1-rc7 and 7.0.13 expose a race condition where timeout-driven error paths in stratix10_rsu_probe() free the service channel - setting chan->scl to NULL - but fail to return early, allowing subsequent service kthreads to dereference the now-NULL pointer in their receive callbacks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain local access (PR:L)
Delivery
Load or await stratix10-rsu driver probe
Exploit
Induce SMC call timeout during probe sequence
Install
stratix10_svc_free_channel() clears chan->scl
C2
Probe continues queuing next request on freed channel
Execute
svc kthread dereferences NULL chan->scl
Impact
Kernel panic (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) local access to the target system with at minimum low-privilege (PR:L per CVSS vector), (2) the target must be running Intel Stratix10 SoC hardware with the stratix10-rsu driver compiled and loaded, and (3) the vulnerability window is during driver probe initialization - specifically when an SMC call for one of COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY, or COMMAND_RSU_GET_SPT_TABLE times out while still pending. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects real-world risk: local access with low-privilege is required, limiting the attack surface significantly. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user with standard (non-root) account access on a system running an affected Linux kernel on Intel Stratix10 hardware could trigger the vulnerability by inducing conditions where SMC calls during driver probe time out - for example by stressing the secure monitor interface or exploiting platform-level timing conditions. When the timeout fires, the mishandled error path causes the svc kthread to dereference a NULL pointer, resulting in a kernel oops or panic and system crash.
Remediation Apply the upstream stable kernel patches available at https://git.kernel.org/stable/c/6bc249d324241c64118a3018124798c28e2950f7 and https://git.kernel.org/stable/c/bfd2eb9bba548a8f63c3339bb1fb9a2031a42d86. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy