CVE-2026-53158

Source
https://cve.org/CVERecord?id=CVE-2026-53158
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53158.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53158
Downstream
Related
Published
2026-06-25T08:38:40.818Z
Modified
2026-07-09T18:31:08.036020411Z
Summary
misc: fastrpc: Fix NULL pointer dereference in rpmsg callback
Details

In the Linux kernel, the following vulnerability has been resolved:

misc: fastrpc: Fix NULL pointer dereference in rpmsg callback

A NULL pointer dereference was observed on Hawi at boot when the DSP sends a glink message before fastrpcrpmsgprobe() has completed initialization:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000178 pc : rawspinlockirqsave+0x34/0x8c lr : fastrpcrpmsgcallback+0x3c/0xcc [fastrpc] ... Call trace: rawspinlockirqsave+0x34/0x8c (P) fastrpcrpmsgcallback+0x3c/0xcc [fastrpc] qcomglinknativerx+0x538/0x6a4 qcomglinksmemintr+0x14/0x24 [qcomglinksmem]

The faulting address 0x178 corresponds to the lock variable inside struct fastrpcchannelctx, confirming that cctx is NULL when fastrpcrpmsgcallback() attempts to take the spinlock.

There are two issues here. First, devsetdrvdata() is called before spinlockinit() and idrinit(), leaving a window where the callback can retrieve a valid cctx pointer but operate on an uninitialized spinlock. Second, the rpmsg channel becomes live as soon as the driver is bound, so fastrpcrpmsgcallback() can fire before devsetdrvdata() is called at all, resulting in devget_drvdata() returning NULL.

Fix both issues by moving all cctx initialization ahead of devsetdrvdata() so the structure is fully initialized before it becomes visible to the callback, and add a NULL check in fastrpcrpmsgcallback() as a guard against any remaining window.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53158.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
f6f9279f2bf0e37e2f1fb119d8832b8568536a04
Fixed
a3d91218ccca1e990bfb737b5a6da23f0afba22b
Fixed
0d8c64511fd45690c5326f013710efcb4f73a97e
Fixed
150bf6f1193c69252580c19d3b3cd631ddce61d7
Fixed
8fb4a23df5b7c02929b62e5dbc270ec7c42b8134
Fixed
4bfdf0a9855df55e9e031ca6a25b855820590c70
Fixed
d5de9cb5355db36438edc621dde3673e3f235767
Fixed
d77583ca33299fede0c194744ef2284e7ba5b763
Fixed
5401fb4fe10fac6134c308495df18ed74aebb9c4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53158.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.1.0
Fixed
5.10.260
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.211
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.177
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.143
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.94
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.18.36
Type
ECOSYSTEM
Events
Introduced
6.19.0
Fixed
7.0.13

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53158.json"