CVE-2026-53298
Received Received - Intake
NULL Pointer Dereference in Linux Kernel Airoha QDMA Driver

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-53298
EUVD
EUVD-2026-39833
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
airoha linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's airoha network driver. It occurs because the initialization of the 'ndesc' variable happens too early in the airoha_qdma_init_rx_queue() function. If the allocation of queue entries or DMA descriptor lists fails, the cleanup function airoha_qdma_cleanup() attempts to dereference a NULL pointer when calling netif_napi_del() for RX queue NAPIs. This happens because netif_napi_add() was never called for that RX NAPI, leading to an invalid cleanup operation.

The root cause is that airoha_qdma_cleanup() relies on the 'ndesc' value to determine if the queue was properly initialized. Since 'ndesc' was set too early, the cleanup function incorrectly assumes initialization succeeded. The fix involves moving the 'ndesc' initialization to the end of the airoha_qdma_init_rx_queue() routine and adjusting the order of page_pool allocation to prevent memory leaks if descriptor allocation fails.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's network driver, which may lead to a kernel crash or system instability. Such crashes can result in denial of service (DoS) conditions, disrupting network functionality and potentially affecting the availability of systems relying on the affected driver.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart