CVE-2026-53204
Received Received - Intake
BaseFortify

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe rsu_send_msg() can return -ETIMEDOUT when wait_for_completion_interruptible_timeout() fires while the SMC call is still pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION, COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then fall through and queue the next request on the same channel. The next svc kthread that runs will dereference pdata->chan->scl in its receive callback path, triggering a NULL pointer dereference identical to the one fixed by commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference when RSU is disabled") for the COMMAND_RSU_STATUS path. Apply the same cleanup pattern to the remaining failure paths: remove the async client, free the channel, and return early so no further messages are queued on a channel whose scl has been cleared. While at it, clean up stratix10_rsu_probe() in two ways without changing behavior: - Drop redundant zero-initialization of fields already cleared by devm_kzalloc(): client.receive_cb, status.* and spt0/1_address (INVALID_SPT_ADDRESS is 0x0). - Replace five identical 3-line error-cleanup blocks (stratix10_svc_remove_async_client() + stratix10_svc_free_channel() + return ret) with goto labels (remove_async_client, free_channel), matching the standard kernel resource-unwinding pattern and making it easier to extend the probe sequence without forgetting matching cleanup. Also move init_completion() next to mutex_init() so sync-primitive initialization is grouped before anything that could trigger a callback. --- v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a centralize exit for all the rsu_send_async_msg() and rsu_send_msg().
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53204
EUVD
EUVD-2026-39295
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
intel stratix10_rsu *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's firmware component for the Intel Stratix10 RSU (Remote System Update). It involves a NULL pointer dereference in the function rsu_send_msg() when a timeout occurs during a system management call (SMC). Specifically, if rsu_send_msg() times out but the SMC call is still pending, error handling code incorrectly frees a communication channel and sets a pointer to NULL but then continues to queue further requests on that now-invalid channel. When the next kernel thread tries to access this cleared pointer, it triggers a NULL pointer dereference, causing a potential crash or instability.

The fix involves applying proper cleanup by removing the asynchronous client, freeing the channel, and returning early to prevent further messages from being queued on a freed channel. Additional code cleanups were made to improve maintainability and follow standard kernel resource management patterns.

Impact Analysis

This vulnerability can lead to a NULL pointer dereference in the Linux kernel, which may cause the kernel to crash or become unstable. Such crashes can result in denial of service (DoS) conditions, affecting system availability and reliability. Systems using the affected firmware component for Intel Stratix10 RSU could experience unexpected reboots or failures during remote system update operations.

Mitigation Strategies

The vulnerability is fixed by applying the patch that corrects the NULL pointer dereference in the stratix10-rsu firmware driver within the Linux kernel.

Immediate mitigation involves updating the Linux kernel to a version that includes the fix for the stratix10-rsu probe NULL dereference issue.

The fix ensures that error paths properly clean up and return early without queuing further messages on a cleared channel, preventing the NULL pointer dereference.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart