CVE-2026-43410
NULL Pointer Dereference in Stratix10 RSU Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| intel | stratix10-rsu | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Linux kernel's firmware driver for the Stratix 10 Remote System Update (RSU). When RSU is not enabled in the First Stage Boot Loader (FSBL), the driver attempts to execute a thread called svc_normal_to_secure_thread(). During this process, a NULL pointer dereference happens because the driver tries to access a channel that has already been freed. This happens because the function rsu_send_async_msg() fails when RSU is disabled, leading to the channel being freed, but the probe function continues and registers the thread that uses the invalid channel. This results in a kernel panic due to the NULL pointer dereference.
How can this vulnerability impact me? :
The impact of this vulnerability is a kernel panic caused by a NULL pointer dereference. This means that the system running the affected Linux kernel on Stratix 10 hardware could crash unexpectedly when RSU is disabled. Such crashes can lead to system instability, downtime, and potential loss of data or service availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a kernel panic caused by a NULL pointer dereference in the stratix10-rsu firmware driver when RSU is disabled. Detection involves monitoring system logs for kernel panic messages related to svc_normal_to_secure_thread and NULL pointer dereferences.
- Check kernel logs for messages like 'Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008'.
- Use the command: dmesg | grep -i 'svc_normal_to_secure_thread' to find related kernel tracebacks.
- Monitor for kernel Oops messages with: dmesg | grep -i 'Oops' or journalctl -k | grep -i 'Oops'.
- Look for process crashes or kernel panics involving the svc_smc_hvc_thr thread.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that the Remote System Update (RSU) feature is properly enabled in the First Stage Boot Loader (FSBL) firmware to avoid triggering the NULL pointer dereference.
If RSU is not required, apply the patch that fixes the stratix10-rsu driver to properly clean up the async client and return early on failure, preventing the use of an invalid channel.
Avoid running unpatched kernel versions that include the vulnerable stratix10-rsu driver.