PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43410 Linux CVE debrief

CVE-2026-43410 is a Linux kernel availability vulnerability in the Stratix10 Remote System Update (RSU) driver. When RSU is not enabled in the First Stage Boot Loader (FSBL), the driver can continue after a failed async message send, later dereference an invalid channel, and panic the kernel. NVD rates the issue as CVSS 3.1 5.5/Medium with local attack requirements and high availability impact only.

Vendor
Linux
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-21
Advisory published
2026-05-08
Advisory updated
2026-05-21

Who should care

Linux kernel maintainers, distro security teams, and operators of Intel/Altera SoCFPGA Stratix 10 systems that include the stratix10-rsu driver should care most. This is especially relevant where firmware or FSBL configurations may leave RSU disabled, because the issue is triggered by that runtime state rather than by network exposure.

Technical summary

The reported bug is a NULL pointer dereference in firmware: stratix10-rsu. According to the CVE description, rsu_send_async_msg() fails when RSU is disabled in firmware, the channel is freed via stratix10_svc_free_channel(), but the probe path continues and registers svc_normal_to_secure_thread(). That thread later uses the already-freed channel, leading to a kernel NULL pointer dereference and panic. NVD maps the weakness to CWE-476 and lists affected Linux kernel versions as 6.19 through before 6.19.9, plus 7.0-rc1, 7.0-rc2, and 7.0-rc3.

Defensive priority

Medium. The issue does not indicate confidentiality or integrity impact, but it can crash the kernel on affected systems. Priority should be higher for fleets that run Stratix 10 hardware or custom kernels with this driver enabled and may boot with RSU disabled in firmware.

Recommended defensive actions

  • Apply the referenced kernel patches from the official Linux stable references.
  • Verify whether deployed Stratix 10 systems use the stratix10-rsu driver and whether RSU is disabled in FSBL or firmware.
  • Backport the fix into any supported kernel branches that include the affected code path.
  • Test boot and service behavior on representative hardware after patching to confirm the driver now exits cleanly when RSU is unavailable.
  • Track the affected kernel version window in patch management, especially Linux 6.19 through before 6.19.9 and the listed 7.0 release candidates.

Evidence notes

The CVE description states that when RSU is not enabled in FSBL, rsu_send_async_msg() fails, the channel is freed, but probe continues and registers svc_normal_to_secure_thread(), which later dereferences the invalid channel and panics the kernel. NVD assigns CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and CWE-476. The supplied source also includes two official kernel patch references, indicating a code-level fix was published.

Official resources

Publicly disclosed in the CVE record on 2026-05-08T15:16:52.633Z; the supplied NVD record was modified on 2026-05-21T18:14:24.140Z. Not listed as KEV in the supplied enrichment.