Skip to main content

Linux Kernel CVE-2026-43256

| EUVDEUVD-2026-27819 HIGH
Out-of-bounds Read (CWE-125)
2026-05-06 Linux GHSA-f426-43f4-xjrc
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 08, 2026 - 13:44 vuln.today
CVSS changed
May 08, 2026 - 13:22 NVD
7.8 (HIGH)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:28 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4):

struct vfe_line line[VFE_LINE_NUM_MAX];

When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access.

Fix this by using separate loops for output lines and write masters.

AnalysisAI

Out-of-bounds memory access in Linux kernel Qualcomm Camera Subsystem (camss) allows local authenticated users to achieve arbitrary code execution, data corruption, or denial of service. The vfe_isr() function iterates beyond the bounds of the vfe->line[] array (size 4) using a loop count of 7, enabling access to memory at offsets +4, +5, and +6. Vendor patches available across multiple stable branches (6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, 7.0). EPSS score 0.02% (7th percentile) indicates low observed exploitation probability; no active exploitation confirmed (not in CISA KEV).

Technical ContextAI

The vulnerability exists in the Qualcomm Camera Subsystem (CAMSS) driver within the Linux kernel's media subsystem, specifically in the VFE (Video Front End) interrupt service routine. The vfe_isr() function incorrectly uses MSM_VFE_IMAGE_MASTERS_NUM (defined as 7) as the iteration bound when accessing the vfe->line[] array, which is allocated with only VFE_LINE_NUM_MAX (4) elements. This classic buffer overflow condition (though no CWE is assigned, this matches CWE-119/CWE-787 array indexing error patterns) allows array indices 4-6 to read or write beyond allocated memory. The affected code path involves hardware interrupt handling for the Qualcomm camera pipeline, introduced in commit 4edc8eae715c. The fix restructures the loop to use separate iterations for output lines (bounded correctly) and write masters, preventing out-of-bounds indexing. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* starting from Linux 5.18 where the vulnerable code was introduced.

RemediationAI

Upgrade to patched Linux kernel versions: 6.1.167, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0+ depending on your current stable branch. Patches available from https://git.kernel.org/stable/ with commits fade67c88870, 1b103307df6d, d965919af524, e7a38ecda249, 0c074e80921f, e6cbf765686f for respective branches. For systems unable to immediately patch, disable or blacklist the qcom-camss kernel module if camera functionality is not required using 'modprobe.blacklist=qcom_camss' in boot parameters or adding 'blacklist qcom_camss' to /etc/modprobe.d/. Note that disabling the module eliminates all camera functionality on affected Qualcomm devices. Restrict physical and logical access to camera device nodes (/dev/video*) via udev rules and SELinux/AppArmor policies to limit attack surface to trusted processes only, though this provides defense-in-depth rather than complete mitigation. Container environments should use seccomp profiles blocking camera-related syscalls if camera access is unnecessary.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy