Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local vector because the fastrpc driver and DSP hardware must be physically present; PR:L because the crash path is triggered by kernel-level DSP messaging, not arbitrary unprivileged action; A:H for kernel panic; no C or I impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem]
The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock.
There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL.
Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.
AnalysisAI
NULL pointer dereference in the Linux kernel's fastrpc misc driver crashes the kernel when a Qualcomm DSP sends a glink message before the fastrpc_rpmsg_probe() initialization routine completes. Systems using the Qualcomm FastRPC subsystem - primarily Android and embedded Qualcomm SoC platforms running Linux 5.1 through unpatched 6.x/7.x stable branches - are vulnerable to a local denial-of-service (kernel panic) at boot. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target system must use a Qualcomm SoC with a DSP subsystem communicating over GLINK SMEM transport (e.g., Snapdragon platforms); (2) the Linux kernel must be built with the fastrpc driver (CONFIG_QCOM_FASTRPC) loaded or compiled in; (3) the race window must be hit - the DSP must send a glink message during the fastrpc_rpmsg_probe() initialization window, which occurs naturally on affected hardware at boot. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low-to-moderate and very narrowly scoped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | On a Qualcomm SoC-based Linux system (e.g., an Android device, automotive platform, or embedded board), the DSP hardware sends a GLINK initialization message during boot before the fastrpc_rpmsg_probe() routine has finished setting driver data. The kernel's fastrpc_rpmsg_callback() fires, calls dev_get_drvdata() which returns NULL, then attempts to acquire a spinlock at offset 0x178 of the NULL pointer, triggering a kernel NULL pointer dereference and system panic. … |
| Remediation | The primary fix is upgrading to a patched Linux kernel stable release: 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39249
GHSA-j24m-w36c-325g