Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local vector confirmed by driver/hardware scope; PR:L reflects that a logged-in session or boot context is needed; no C or I impact applies.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
mmc: dw_mmc-rockchip: Add missing private data for very old controllers
The really old controllers (rk2928, rk3066, rk3188) do not support UHS speeds at all, and thus never handled phase data.
For that reason it never had a parse_dt callback and no driver private data at all.
Commit ff6f0286c896 ("mmc: dw_mmc-rockchip: Add memory clock auto-gating support") makes the private data sort of mandatory, because the init function checks whether phases are configured internally or through the clock controller.
This results in the old SoCs then experiencing NULL-pointer dereferences when they try to access that private-data struct.
While we could have if (priv) conditionals in all places, it's way less cluttery to just give the old types their private-data struct.
AnalysisAI
NULL pointer dereference in the Linux kernel's dw_mmc-rockchip MMC driver triggers kernel panics on systems running legacy Rockchip SoCs (rk2928, rk3066, rk3188) when the MMC subsystem initializes. Commit ff6f0286c896 introduced a mandatory private-data access path that was never populated for these old controllers - which historically had no UHS support and no parse_dt callback - causing a reproducible kernel crash on affected hardware. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two simultaneous conditions are required: (1) the target system must be physically equipped with one of exactly three legacy Rockchip SoC variants - rk2928, rk3066, or rk3188 - as the NULL dereference is specific to the code path for these controller types that lack UHS support; and (2) the running kernel must include commit ff6f0286c896 but not the fix commits, corresponding to kernel versions 6.12.78-6.12.93, 6.18.19-6.18.35, 7.0.x prior to 7.0.13, or 7.1 RC1-RC6. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low despite the kernel-crash impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A system boots on legacy Rockchip rk2928, rk3066, or rk3188 hardware running an affected kernel version; during MMC subsystem initialization, the dw_mmc-rockchip driver's init function dereferences the NULL private data pointer when checking memory clock auto-gating configuration, triggering an immediate kernel panic. The crash is deterministic and reproducible on every boot of affected hardware - no user interaction, network access, or special privileges beyond system startup are needed. … |
| Remediation | Upgrade the Linux kernel to a patched stable release: 6.12.94 or later for the 6.12.x longterm branch, 6.18.36 or later for the 6.18.x branch, 7.0.13 or later for the 7.0.x branch, or the final 7.1 release for the 7.1 RC series. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39243
GHSA-38rg-2rjc-3rmj