Skip to main content

Linux Kernel CVE-2026-43222

| EUVDEUVD-2026-27782 HIGH
2026-05-06 Linux GHSA-j457-vjxp-xvjj
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:39 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: verisilicon: AV1: Fix tile info buffer size

Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory.

AnalysisAI

A memory corruption vulnerability in the Linux kernel's Verisilicon AV1 media driver allows local authenticated attackers to write tile info data beyond allocated buffer boundaries, potentially achieving arbitrary code execution with kernel privileges. The vulnerability affects kernel versions from 6.5 onwards where commit 727a400686a2 introduced the flaw. Patches are available across multiple stable kernel branches (6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability, with no public exploit identified at time of analysis and no CISA KEV listing.

Technical ContextAI

The vulnerability exists in the Verisilicon hardware video decoder driver's AV1 codec implementation within the Linux kernel media subsystem. AV1 (AOMedia Video 1) is a modern video compression format that uses tile-based encoding where frames are divided into rectangular tiles for parallel processing. The driver allocates a buffer to store tile information metadata (row_sb, col_sb, start_pos, end_pos - 4 bytes each, totaling 16 bytes per tile). The bug stems from using an incorrect size constant during buffer allocation while the code writes up to AV1_MAX_TILES * 16 bytes of tile metadata, causing an out-of-bounds write. This is a classic buffer overflow in kernel space affecting the media/platform/verisilicon driver component. The affected CPE indicates this impacts mainline Linux kernel builds containing the vulnerable driver code introduced in commit 727a400686a2c0d25015c9e44916a59b72882f83, first appearing in kernel 6.5.

RemediationAI

Update to patched Linux kernel versions: 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 depending on your current stable branch. The upstream patches are available across multiple kernel.org stable trees as documented in commits a5b1ddbe31f4, 34f36f9c6114, f122f2b3ce9d, 74abfadd7ef5, and a505ca2db89a (see https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231). For systems where immediate kernel updates are not feasible, consider disabling or blacklisting the verisilicon_vpu driver module if AV1 hardware decoding is not required for operational needs, though this will prevent hardware-accelerated AV1 video playback. Alternatively, restrict access to /dev/video* device nodes to trusted users only via udev rules and group permissions, reducing the pool of potential local attackers who can trigger the vulnerable code path. Note that disabling the driver eliminates functionality and access restriction is defense-in-depth rather than a complete mitigation since the buffer overflow remains exploitable by any user with device access. Systems without Verisilicon hardware are not affected and require no action.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy