CVE-2026-53298
Analyzed Analyzed - Analysis Complete

NULL Pointer Dereference in Linux Kernel Airoha QDMA Driver

Vulnerability report for CVE-2026-53298, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-07-08

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-07-08
Generated
2026-07-17
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.13 (inc) to 6.18.33 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.10 (exc)
linux linux_kernel From 6.11 (inc) to 6.12.91 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's airoha network driver. It occurs because the initialization of the 'ndesc' variable happens too early in the airoha_qdma_init_rx_queue() function. If the allocation of queue entries or DMA descriptor lists fails, the cleanup function airoha_qdma_cleanup() attempts to dereference a NULL pointer when calling netif_napi_del() for RX queue NAPIs. This happens because netif_napi_add() was never called for that RX NAPI, leading to an invalid cleanup operation.

The root cause is that airoha_qdma_cleanup() relies on the 'ndesc' value to determine if the queue was properly initialized. Since 'ndesc' was set too early, the cleanup function incorrectly assumes initialization succeeded. The fix involves moving the 'ndesc' initialization to the end of the airoha_qdma_init_rx_queue() routine and adjusting the order of page_pool allocation to prevent memory leaks if descriptor allocation fails.

Impact Analysis

This vulnerability can cause a NULL pointer dereference in the Linux kernel's network driver, which may lead to a kernel crash or system instability. Such crashes can result in denial of service (DoS) conditions, disrupting network functionality and potentially affecting the availability of systems relying on the affected driver.

Mitigation Strategies

The vulnerability has been resolved by moving the ndesc initialization to the end of the airoha_qdma_init_rx_queue() routine and adjusting the allocation order to avoid memory leaks and NULL pointer dereferences.

To mitigate this vulnerability immediately, you should update your Linux kernel to a version that includes this fix.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart