CVE-2026-53298
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In the Linux kernel network driver for Airoha chips, a NULL pointer dereference vulnerability was found. It occurs when queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue(), and then airoha_qdma_cleanup() tries to delete RX queue NAPI even though netif_napi_add() was never called. The issue is caused by early initialization of the ndesc variable, which is used to check if the queue is properly initialized.
Risk Assessment
An attacker could exploit this vulnerability to cause a kernel panic by intentionally triggering a memory allocation failure, leading to network service disruption and potential system unavailability.
Recommendation
Immediately update the Linux kernel to a version containing the fix that moves ndesc initialization to the end of airoha_qdma_init_rx_queue() and page_pool allocation after descriptor list allocation. Check your Linux distributor for the available patch.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: net: airoha: Move ndesc initialization at end of airoha_qdma_init_rx_queue() If queue entry or DMA descriptor list allocation fails in airoha_qdma_init_rx_queue routine, airoha_qdma_cleanup() will trigger a NULL pointer dereference running netif_napi_del() for RX queue NAPIs since netif_napi_add() has never been executed to this particular RX NAPI. The issue is due to the early ndesc initialization in airoha_qdma_init_rx_queue() since airoha_qdma_cleanup() relies on ndesc value to check if the queue is properly initialized. Fix the issue moving ndesc initialization at end of airoha_qdma_init_tx routine. Move page_pool allocation after descriptor list allocation in order to avoid memory leaks if desc allocation fails.

