Skip to main content

Linux Kernel CVE-2026-43290

| EUVDEUVD-2026-28560 HIGH
2026-05-08 Linux GHSA-w25g-q69r-fvpq
High
Disputed · 7.8 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 10:30 vuln.today
CVSS changed
May 11, 2026 - 08:22 NVD
7.8 (HIGH)
Patch available
May 08, 2026 - 14:02 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)
CVE Published
May 08, 2026 - 13:11 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: uvcvideo: Return queued buffers on start_streaming() failure

Return buffers if streaming fails to start due to uvc_pm_get() error.

This bug may be responsible for a warning I got running

while :; do yavta -c3 /dev/video0; done

on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm.

xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120

AnalysisAI

A buffer management flaw in the Linux kernel's uvcvideo (USB Video Class) driver allows local authenticated attackers to trigger memory corruption via improper buffer handling when streaming initialization fails. The vulnerability manifests when xHCI controller failures cause uvc_pm_get() errors during start_streaming(), leaving queued video buffers unreturned and potentially causing system instability or privilege escalation. Patches are available from kernel maintainers for versions 6.18.16, 6.19.6, and 7.0+, with upstream fixes committed. EPSS score of 0.02% suggests minimal observed exploitation attempts, and no KEV listing indicates this is not currently exploited in the wild despite the high CVSS 7.8 score.

Technical ContextAI

This vulnerability affects the videobuf2 subsystem within the uvcvideo driver (drivers/media/usb/uvc/), specifically in the buffer lifecycle management when video streaming initialization fails. The uvcvideo driver implements the USB Video Class specification for webcams and video capture devices. When start_streaming() encounters a power management failure via uvc_pm_get() - commonly triggered by xHCI (USB 3.0 extended Host Controller Interface) instability or device disconnection - the driver fails to return queued videobuf2 buffers to their original state. This violates the videobuf2-core contract that expects all queued buffers to be properly dequeued on streaming failure, triggering a WARN_ON assertion at vb2_start_streaming+0xac. The reporter triggered this condition with repeated yavta (V4L2 test application) invocations cycling through capture initialization, eventually exhausting xHCI resources. The affected code path has existed since commit 7dd56c47784a, indicating this is a long-standing resource cleanup issue. While no CWE is formally assigned, this represents improper resource management/cleanup on error paths (similar to CWE-404: Improper Resource Shutdown or Release).

RemediationAI

Update to patched kernel versions: 6.18.16 or later for 6.18.x series, 6.19.6 or later for 6.19.x series, or 7.0 stable release for mainline. Upstream fixes are available in commits 69c32df23bed6001864779b965fa009bcd9a26de (mainline), a5c01f15809d1d2c319d8bfb11d071df11ab731c (stable), and 4cf3b6fd54ebb1ebc977bdc47fb6cfcf9a471a22 (stable) per https://git.kernel.org/stable/. Distributions typically backport fixes to their kernel branches; check vendor security advisories (e.g., Ubuntu USN, RHEL RHSA, Debian DSA). For systems unable to patch immediately, disable the uvcvideo module via 'modprobe -r uvcvideo' and blacklist in /etc/modprobe.d/blacklist.conf if USB cameras are not operationally required; this prevents module loading and eliminates attack surface but breaks all UVC camera functionality. Alternatively, restrict /dev/video* device permissions to trusted users only (chmod 600, chown root:root) to limit local attack surface, though this does not prevent exploitation by legitimate camera users. Monitor dmesg and kernel logs for videobuf2 warnings or xHCI errors indicating exploitation attempts. Note that the disable-module workaround impacts legitimate webcam functionality including video conferencing; assess operational requirements before applying.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43290 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy