HOMEVULNERABILITIESCVE-2026-53204
NONE

CVE-2026-53204

Published: June 25, 2026· Updated: Jun 30, 2026

EPSS:0.15%probability of exploitation in 30 daysPercentile:5.0th

Official Description

In the Linux kernel, the following vulnerability has been resolved:

firmware: stratix10-rsu: Fix NULL deref on rsu_send_msg() timeout in probe

rsu_send_msg() can return -ETIMEDOUT when

wait_for_completion_interruptible_timeout() fires while the SMC call is still

pending. In stratix10_rsu_probe(), the error paths for COMMAND_RSU_DCMF_VERSION,

COMMAND_RSU_DCMF_STATUS, COMMAND_RSU_MAX_RETRY and COMMAND_RSU_GET_SPT_TABLE

call stratix10_svc_free_channel() - which sets chan->scl to NULL - but then

fall through and queue the next request on the same channel. The next svc

kthread that runs will dereference pdata->chan->scl in its receive callback

path, triggering a NULL pointer dereference identical to the one fixed by

commit c45f7263100c ("firmware: stratix10-rsu: Fix NULL pointer dereference

when RSU is disabled") for the COMMAND_RSU_STATUS path.

Apply the same cleanup pattern to the remaining failure paths: remove the

async client, free the channel, and return early so no further messages are

queued on a channel whose scl has been cleared.

While at it, clean up stratix10_rsu_probe() in two ways without changing

behavior:

- Drop redundant zero-initialization of fields already cleared by

devm_kzalloc(): client.receive_cb, status.* and spt0/1_address

(INVALID_SPT_ADDRESS is 0x0).

- Replace five identical 3-line error-cleanup blocks

(stratix10_svc_remove_async_client() + stratix10_svc_free_channel() +

return ret) with goto labels (remove_async_client, free_channel),

matching the standard kernel resource-unwinding pattern and making it

easier to extend the probe sequence without forgetting matching

cleanup.

Also move init_completion() next to mutex_init() so sync-primitive

initialization is grouped before anything that could trigger a

callback.

---

v2: Add a minor clean-up of the function stratix10_rsu_probe() to have a

centralize exit for all the rsu_send_async_msg() and rsu_send_msg().

NVD Source

Technical Analysis

CVE-2026-53204 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

Affected Vendors & Products

Mentioned vendors (from description):
Linux
CPE data not yet available in NVD for this CVE.

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (2)

Quick Facts

CVE IDCVE-2026-53204
SeverityNONE
CISA KEVNo
EPSS (30d)0.15%
PublishedJun 25, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-53204 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.