CVE-2026-53158
Received Received - Intake
NULL Pointer Dereference in Linux Kernel FastRPC

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: Fix NULL pointer dereference in rpmsg callback A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpc_rpmsg_probe() has completed initialization: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : _raw_spin_lock_irqsave+0x34/0x8c lr : fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] ... Call trace: _raw_spin_lock_irqsave+0x34/0x8c (P) fastrpc_rpmsg_callback+0x3c/0xcc [fastrpc] qcom_glink_native_rx+0x538/0x6a4 qcom_glink_smem_intr+0x14/0x24 [qcom_glink_smem] The faulting address 0x178 corresponds to the lock variable inside struct fastrpc_channel_ctx, confirming that cctx is NULL when fastrpc_rpmsg_callback() attempts to take the spinlock. There are two issues here. First, dev_set_drvdata() is called before spin_lock_init() and idr_init(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpc_rpmsg_callback() can fire before dev_set_drvdata() is called at all, resulting in dev_get_drvdata() returning NULL. Fix both issues by moving all cctx initialization ahead of dev_set_drvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpc_rpmsg_callback() as a guard against any remaining window.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53158
EUVD
EUVD-2026-39249
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qualcomm fastrpc *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability manifests as a NULL pointer dereference in the Linux kernel related to the fastrpc rpmsg callback, which can cause kernel crashes at boot time.

Detection can be performed by monitoring kernel logs for messages indicating a NULL pointer dereference or kernel oops related to fastrpc_rpmsg_callback or spinlock failures.

Suggested commands to detect this issue include checking the kernel ring buffer for relevant errors:

  • dmesg | grep -i 'fastrpc_rpmsg_callback'
  • dmesg | grep -i 'NULL pointer dereference'
  • journalctl -k | grep -i 'fastrpc'

Additionally, monitoring for kernel oops or panic messages during system boot can help identify if this vulnerability is triggered.

Executive Summary

This vulnerability is a NULL pointer dereference in the Linux kernel's fastrpc driver, specifically in the rpmsg callback function. It occurs when the DSP sends a glink message before the fastrpc_rpmsg_probe() function has completed initialization. This causes the callback to attempt to access a spinlock through a NULL pointer, leading to a kernel fault.

The root cause involves the order of initialization: dev_set_drvdata() is called before spin_lock_init() and idr_init(), creating a window where the callback can retrieve a pointer to an uninitialized structure or even a NULL pointer. Additionally, the rpmsg channel becomes active as soon as the driver is bound, so the callback can be triggered before dev_set_drvdata() is called, resulting in a NULL pointer dereference.

The fix involves moving all initialization of the context structure ahead of dev_set_drvdata() to ensure it is fully initialized before becoming visible to the callback, and adding a NULL check in the callback function as a safeguard.

Impact Analysis

This vulnerability can cause the Linux kernel to crash due to a NULL pointer dereference, leading to a kernel panic or system instability. This can result in denial of service, where the affected system becomes unresponsive or requires a reboot.

Mitigation Strategies

This vulnerability is caused by a NULL pointer dereference in the fastrpc rpmsg callback due to improper initialization order and lack of NULL checks.

Immediate mitigation steps include ensuring that the fastrpc_channel_ctx structure is fully initialized before it becomes visible to the callback. This means moving all context initialization ahead of dev_set_drvdata() so that the spinlock and idr are properly initialized before use.

Additionally, adding a NULL check in the fastrpc_rpmsg_callback() function acts as a guard against any remaining race conditions where the callback might be invoked before initialization completes.

Practically, this means updating the Linux kernel to a version where this fix is applied or applying the patch that reorders initialization and adds the NULL check.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53158. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart