Skip to main content

Linux Kernel EUVDEUVD-2026-28716

| CVE-2026-43410 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-08 Linux GHSA-q6cw-2hr2-g93j
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 21, 2026 - 20:32 vuln.today
CVSS changed
May 21, 2026 - 18:22 NVD
5.5 (MEDIUM)
CVE Published
May 08, 2026 - 14:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled

When the Remote System Update (RSU) isn't enabled in the First Stage Boot Loader (FSBL), the driver encounters a NULL pointer dereference when excute svc_normal_to_secure_thread() thread, resulting in a kernel panic:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 Mem abort info: ... Data abort info: ... [0000000000000008] user address but active_mm is swapper Internal error: Oops: 0000000096000004 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 79 Comm: svc_smc_hvc_thr Not tainted 6.19.0-rc8-yocto-standard+ #59 PREEMPT Hardware name: SoCFPGA Stratix 10 SoCDK (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : svc_normal_to_secure_thread+0x38c/0x990 lr : svc_normal_to_secure_thread+0x144/0x990 ... Call trace: svc_normal_to_secure_thread+0x38c/0x990 (P) kthread+0x150/0x210 ret_from_fork+0x10/0x20 Code: 97cfc113 f9400260 aa1403e1 f9400400 (f9400402) ---[ end trace 0000000000000000 ]---

The issue occurs because rsu_send_async_msg() fails when RSU is not enabled in firmware, causing the channel to be freed via stratix10_svc_free_channel(). However, the probe function continues execution and registers svc_normal_to_secure_thread(), which subsequently attempts to access the already-freed channel, triggering the NULL pointer dereference.

Fix this by properly cleaning up the async client and returning early on failure, preventing the thread from being used with an invalid channel.

AnalysisAI

NULL pointer dereference in the Linux kernel's stratix10-rsu firmware driver triggers a kernel panic (denial of service) on Intel/Altera SoCFPGA Stratix 10 systems running kernel 6.19.x when RSU is disabled in the First Stage Boot Loader. A local authenticated user can cause a full system crash by triggering the svc_normal_to_secure_thread kernel thread, which dereferences an already-freed service channel pointer. No public exploit identified at time of analysis; EPSS score of 0.02% at the 5th percentile reflects the narrow hardware-specific exposure.

Technical ContextAI

The vulnerability resides in the firmware/stratix10-rsu subsystem, which manages firmware updates for Intel/Altera SoCFPGA Stratix 10 SoC hardware via the Remote System Update (RSU) protocol using a secure monitor call (SMC/HVC) service layer. When RSU is not enabled in the FSBL, rsu_send_async_msg() returns failure, causing stratix10_svc_free_channel() to release the service channel. The probe function lacks proper early-exit error handling after this failure, continuing to register svc_normal_to_secure_thread(). That thread subsequently dereferences the freed (now NULL) channel pointer at virtual address 0x0000000000000008, producing a kernel Oops and panic. CWE-476 (NULL Pointer Dereference) precisely classifies this as a missing null-check on a resource pointer following deallocation during a probe-time error path. CPE cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* applies, constrained by the hardware-specific driver and FSBL configuration.

RemediationAI

Upgrade to Linux kernel 6.19.9 or 7.0, both of which contain the upstream fix. The fix adds proper early-exit error handling in the probe function so that if rsu_send_async_msg() fails, the async client is cleaned up and the thread is not registered with an invalid channel. Patch commits are aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a (stable 6.19.x branch) and c45f7263100cece247dd3fa5fe277bd97fdb5687, available at https://git.kernel.org/stable/c/aa5739e0c51ad01c6e763ca89c1bfb58fc6ea71a and https://git.kernel.org/stable/c/c45f7263100cece247dd3fa5fe277bd97fdb5687. If immediate patching is not feasible on embedded Stratix 10 systems, enabling RSU in the FSBL configuration eliminates the failure path that causes the NULL dereference - note this changes firmware behavior and may not be appropriate for all production deployments. As an additional compensating control, restricting local non-root user access to the affected system limits who can trigger the vulnerable code path, though this does not eliminate the underlying bug.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28716 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy