CVE-2026-53298 - Vulnerability Details

Description

In the Linux kernel, the following vulnerability has been resolved:

net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()

If queue entry or DMA descriptor list allocation fails in
airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a
NULL pointer dereference running netif_napi_del() for RX queue NAPIs
since netif_napi_add() has never been executed to this particular RX NAPI.
The issue is due to the early ndesc initialization in
airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc
value to check if the queue is properly initialized. Fix the issue moving
ndesc initialization at end of airoha_qdma_init_tx routine.
Move page_pool allocation after descriptor list allocation in order to
avoid memory leaks if desc allocation fails.

Published: 2026-06-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In the Linux kernel's airoha network driver, a null pointer dereference occurs when the cleanup routine is called after a failed DMA descriptor or queue entry allocation. The fault happens because the driver initializes a descriptor count variable too early, so the cleanup code mistakenly detects the queue as initialized and attempts to delete a NAPI object that was never added. The result is a kernel panic that brings the system down. Additionally, moving the page pool allocation after the descriptor list allocation prevents memory leaks when descriptor allocation fails.

Affected Systems

All systems running a Linux kernel that includes the airoha network driver, regardless of specific version, are affected. The vulnerability is tied to the driver’s initialization logic and cleanup handling.

Risk and Exploitability

EPSS information is unavailable and the issue is not listed in the CISA KEV catalog, so publicly documented exploitation data is limited. The vulnerability requires access to the airoha device and sufficient privileges to trigger driver initialization failures, implying a local or privileged-level attack vector. While the CVSS score is not supplied, the potential for a denial‑of‑service crash makes it a high‑impact bug in kernels where the flawed driver is present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`23020f04932701d5c8363e60756f12b43b8ed752`	affected	< d36be272adda7f313e39dd118086955d993bf6a7
`23020f04932701d5c8363e60756f12b43b8ed752`	affected	< 4d4acfa348a1d8c0941004823662ede0fdb5dea5
`23020f04932701d5c8363e60756f12b43b8ed752`	affected	< 14dc48e5ba73d5c69559bf1a1a6884f7843aade7
`23020f04932701d5c8363e60756f12b43b8ed752`	affected	< 379050947a1828826ad7ea50c95245a56929b35a

Linux

affected

Version	Status	Constraints
`6.11`	affected	—
`0`	unaffected	< 6.11
`6.12.91`	unaffected	≤ 6.12.*
`6.18.33`	unaffected	≤ 6.18.*
`7.0.10`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply an updated Linux kernel version that includes the fixed driver code.
If the kernel cannot be updated immediately, disable or replace the airoha network driver until the patch is available.
Monitor system logs for NAPI_handler failures and reboot the affected kernel if a crash occurs.

Generated by OpenCVE AI on June 26, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/14dc48e5ba73d5c69559bf1a1a6884f7843aade7
https://git.kernel.org/stable/c/379050947a1828826ad7ea50c95245a56929b35a
https://git.kernel.org/stable/c/4d4acfa348a1d8c0941004823662ede0fdb5dea5
https://git.kernel.org/stable/c/d36be272adda7f313e39dd118086955d993bf6a7

History

Fri, 26 Jun 2026 22:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 26 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.
Title		net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/14dc48e5ba73d5c69559bf1a1a6884f7843aade7 https://git.kernel.org/stable/c/379050947a1828826ad7ea50c95245a56929b35a https://git.kernel.org/stable/c/4d4acfa348a1d8c0941004823662ede0fdb5dea5 https://git.kernel.org/stable/c/d36be272adda7f313e39dd118086955d993bf6a7

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-26T19:40:55.867Z

Updated: 2026-06-26T19:40:55.867Z

Reserved: 2026-06-09T07:44:35.396Z

Link: CVE-2026-53298

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T22:30:04Z

Weaknesses

CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object