Description
In the Linux kernel, the following vulnerability has been resolved:

soc/tegra: cbb: Fix cross-fabric target timeout lookup

When a fabric receives an error interrupt, the error may have
occurred on a different fabric. The target timeout lookup was using
the wrong base address (cbb->regs) with offsets from a different
fabric's target map, causing a kernel page fault.

Unable to handle kernel paging request at virtual address ffff80000954cc00
pc : tegra234_cbb_get_tmo_slv+0xc/0x28
Call trace:
tegra234_cbb_get_tmo_slv+0xc/0x28
print_err_notifier+0x6c0/0x7d0
tegra234_cbb_isr+0xe4/0x1b4

Add tegra234_cbb_get_fabric() to look up the correct fabric device
using fab_id, and use its base address for accessing target timeout
registers.
Published: 2026-06-26
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel module for NVIDIA Tegra’s Crossbar Bridge (cbb) was incorrectly using the base address of one fabric while accessing registers belonging to another fabric during an error interrupt. This caused the kernel to dereference an invalid address and triggered a page fault. The fault leads to an unhandled kernel exception, resulting in a system crash and denial of service for any processes running on the affected device. The flaw is a kernel‑space memory access bug that can be exploited if the error interrupt can be triggered, but it does not provide arbitrary code execution.

Affected Systems

All Linux kernel builds that contain the Tegra Soc cbb driver are susceptible, as the vulnerability is tied to the general cross‑fabric target timeout lookup logic rather than a specific release. Systems with NVIDIA Tegra SoCs that use the soc/tegra: cbb driver, such as various embedded and mobile platforms, fall into this category. No version restrictions were supplied in the data, so any installation running the affected driver code is at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, and the EPSS score of < 1% suggests a very low likelihood of exploitation in the wild. It is not listed in CISA’s KEV catalog, implying no known active exploitation. The likely attack vector requires an attacker to trigger a fabric error interrupt that leads to an incorrect base address lookup; this is generally a local or privileged operation within the kernel. Though remote exploitation is improbable, any kernel crash immediately terminates all user processes, creating a denial of service that could impact availability of the device. In the absence of a current exploitation record, the risk remains moderate until a patch is applied.

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commits referenced in the advisory (e.g., commit 8445d69 and related patches) to correct the base address lookup logic.
  • If an immediate kernel upgrade is not possible, consider disabling the affected cbb error handling path or applying a temporary local patch that redirects fabric target lookups to the correct base address, as suggested by the commit metadata.
  • For custom or vendor‑specific kernel builds, update the source code to include the latest Tegra cbb fixes and recompile the kernel to ensure the corrected logic is deployed.

Generated by OpenCVE AI on June 29, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Mon, 29 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Low


Fri, 26 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Fri, 26 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: soc/tegra: cbb: Fix cross-fabric target timeout lookup When a fabric receives an error interrupt, the error may have occurred on a different fabric. The target timeout lookup was using the wrong base address (cbb->regs) with offsets from a different fabric's target map, causing a kernel page fault. Unable to handle kernel paging request at virtual address ffff80000954cc00 pc : tegra234_cbb_get_tmo_slv+0xc/0x28 Call trace: tegra234_cbb_get_tmo_slv+0xc/0x28 print_err_notifier+0x6c0/0x7d0 tegra234_cbb_isr+0xe4/0x1b4 Add tegra234_cbb_get_fabric() to look up the correct fabric device using fab_id, and use its base address for accessing target timeout registers.
Title soc/tegra: cbb: Fix cross-fabric target timeout lookup
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-26T19:41:04.227Z

Reserved: 2026-06-09T07:44:35.397Z

Link: CVE-2026-53310

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-26T00:00:00Z

Links: CVE-2026-53310 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T16:30:17Z

Weaknesses
  • CWE-823

    Use of Out-of-range Pointer Offset