CVE-2026-53158
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in Linux Kernel FastRPC

Vulnerability report for CVE-2026-53158, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-07-07

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-07-07
Generated
2026-07-15
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 6.2 (inc) to 6.6.143 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.36 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.94 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.13 (exc)
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel 7.1
linux linux_kernel From 5.16 (inc) to 6.1.177 (exc)
linux linux_kernel From 5.11 (inc) to 5.15.211 (exc)
linux linux_kernel From 5.1 (inc) to 5.10.260 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability manifests as a NULL pointer dereference in the Linux kernel related to the fastrpc rpmsg callback, which can cause kernel crashes at boot time.

Detection can be performed by monitoring kernel logs for messages indicating a NULL pointer dereference or kernel oops related to fastrpc_rpmsg_callback or spinlock failures.

Suggested commands to detect this issue include checking the kernel ring buffer for relevant errors:

  • dmesg | grep -i 'fastrpc_rpmsg_callback'
  • dmesg | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'fastrpc'

Additionally, monitoring for kernel oops or panic messages during system boot can help identify if this vulnerability is triggered.

Executive Summary

This vulnerability is a NULL pointer dereference in the Linux kernel's fastrpc driver, specifically in the rpmsg callback function. It occurs when the DSP sends a glink message before the fastrpc_rpmsg_probe() function has completed initialization. This causes the callback to attempt to access a spinlock through a NULL pointer, leading to a kernel fault.

The root cause involves the order of initialization: dev_set_drvdata() is called before spin_lock_init() and idr_init(), creating a window where the callback can retrieve a pointer to an uninitialized structure or even a NULL pointer. Additionally, the rpmsg channel becomes active as soon as the driver is bound, so the callback can be triggered before dev_set_drvdata() is called, resulting in a NULL pointer dereference.

The fix involves moving all initialization of the context structure ahead of dev_set_drvdata() to ensure it is fully initialized before becoming visible to the callback, and adding a NULL check in the callback function as a safeguard.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference, leading to a kernel panic or system instability. This can result in denial of service, where the affected system becomes unresponsive or requires a reboot.

Mitigation Strategies

This vulnerability is caused by a NULL pointer dereference in the fastrpc rpmsg callback due to improper initialization order and lack of NULL checks.

Immediate mitigation steps include ensuring that the fastrpc_channel_ctx structure is fully initialized before it becomes visible to the callback. This means moving all context initialization ahead of dev_set_drvdata() so that the spinlock and idr are properly initialized before use.

Additionally, adding a NULL check in the fastrpc_rpmsg_callback() function acts as a guard against any remaining race conditions where the callback might be invoked before initialization completes.

Practically, this means updating the Linux kernel to a version where this fix is applied or applying the patch that reorders initialization and adds the NULL check.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart