CVE-2026-53332
Received Received - Intake

Race Condition in Linux Kernel Slimbus Qcom-NGD-Ctrl Driver

Vulnerability report for CVE-2026-53332, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: kernel.org

Description

In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd When the remoteproc starts in parallel with the NGD driver being probed, or the remoteproc is already up when the PDR lookup is being registered, or in the theoretical event that we get an interrupt from the hardware, these callbacks will operate on uninitialized data. This result in issues to boot the affected boards. One such example can be seen in the following fault, where qcom_slim_ngd_ssr_pdr_notify() schedules work on the NULL ngd_up_work. [ 21.858578] ------------[ cut here ]------------ [ 21.858745] WARNING: kernel/workqueue.c:2338 at __queue_work+0x5e0/0x790, CPU#2: kworker/2:2/116 ... [ 21.859251] Call trace: [ 21.859255] __queue_work+0x5e0/0x790 (P) [ 21.859265] queue_work_on+0x6c/0xf0 [ 21.859273] qcom_slim_ngd_ssr_pdr_notify+0x110/0x150 [slim_qcom_ngd_ctrl] [ 21.859304] qcom_slim_ngd_ssr_notify+0x24/0x40 [slim_qcom_ngd_ctrl] [ 21.859318] notifier_call_chain+0xa4/0x230 [ 21.859329] srcu_notifier_call_chain+0x64/0xb8 [ 21.859338] ssr_notify_start+0x40/0x78 [qcom_common] [ 21.859355] rproc_start+0x130/0x230 [ 21.859367] rproc_boot+0x3d4/0x518 ... Move the enablement of interrupts, and the registration of SSR and PDR until after the NGD device has been registered. This could be further refined by moving initialization to the control driver probe and by removing the platform driver model from the picture.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
qcom qcom-ngd-ctrl *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's qcom-ngd-ctrl driver. It occurs when callbacks are registered before the NGD device is fully initialized. Specifically, if the remoteproc starts in parallel with the NGD driver being probed, or if the remoteproc is already running when the PDR lookup is registered, callbacks may operate on uninitialized data.

This leads to issues such as scheduling work on a NULL pointer (ngd_up_work), which can cause kernel warnings and potentially disrupt the boot process of affected boards.

The fix involves moving the enablement of interrupts and the registration of SSR and PDR until after the NGD device has been registered, ensuring callbacks only operate on properly initialized data.

Impact Analysis

This vulnerability can cause the affected Linux kernel systems to experience boot failures or instability due to callbacks operating on uninitialized data.

Such instability can lead to system crashes, degraded performance, or inability to properly start certain hardware components, particularly on boards using the qcom-ngd-ctrl driver.

Detection Guidance

This vulnerability can be detected by monitoring the system logs for specific kernel warnings and call traces related to the qcom-ngd-ctrl driver. Look for messages indicating workqueue warnings and NULL pointer dereferences involving qcom_slim_ngd_ssr_pdr_notify and related functions.

  • Check kernel logs using: dmesg | grep -i 'qcom_slim_ngd_ssr_pdr_notify'
  • Look for workqueue warnings: dmesg | grep -i 'WARNING: kernel/workqueue.c'
  • Search for call traces involving slim_qcom_ngd_ctrl: dmesg | grep -i 'slim_qcom_ngd_ctrl'
Mitigation Strategies

To mitigate this vulnerability, ensure that the NGD device is fully registered before enabling interrupts and registering SSR and PDR callbacks. This prevents callbacks from operating on uninitialized data.

If possible, update the Linux kernel to a version where this issue is resolved, as the fix involves moving the enablement of interrupts and registration of SSR and PDR until after the NGD device registration.

Consider delaying the initialization of the control driver probe and removing the platform driver model to further reduce the risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53332. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart