Skip to main content

Linux Kernel CVE-2026-43301

| EUVDEUVD-2026-28571 MEDIUM
Integer Underflow (CWE-191)
2026-05-08 Linux GHSA-g77g-v33m-x9rh
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 15, 2026 - 13:52 vuln.today
CVSS changed
May 15, 2026 - 13:52 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 14:33 EUVD
CVE Published
May 08, 2026 - 13:11 nvd
MEDIUM 5.5
CVE Published
May 08, 2026 - 13:11 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: chips-media: wave5: Fix PM runtime usage count underflow

Replace pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the remove path to properly pair with pm_runtime_use_autosuspend() from probe. This allows pm_runtime_disable() to handle reference count cleanup correctly regardless of current suspend state.

The driver calls pm_runtime_put_sync() unconditionally in remove, but the device may already be suspended due to autosuspend configured in probe. When autosuspend has already suspended the device, the usage count is 0, and pm_runtime_put_sync() decrements it to -1.

This causes the following warning on module unload:

------------[ cut here ]------------ WARNING: CPU: 1 PID: 963 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 ... vdec 30210000.video-codec: Runtime PM usage count underflow!

AnalysisAI

A reference count underflow in the Linux kernel's chips-media wave5 video codec driver causes a runtime PM usage count to decrement below zero during module removal, triggering a kernel warning and potentially causing denial of service when the driver is unloaded. The vulnerability affects unprivileged local users on systems with the wave5 codec driver enabled, and occurs when the device has already been suspended via autosuspend before the remove path executes pm_runtime_put_sync(). EPSS score of 0.02% indicates low exploitation probability despite the denial-of-service capability.

Technical ContextAI

The Linux kernel's power management subsystem uses reference counting to track active device usage via pm_runtime APIs. The wave5 video codec driver enables autosuspend in its probe function with pm_runtime_use_autosuspend(), allowing the device to suspend automatically after a timeout. During device removal, the driver unconditionally calls pm_runtime_put_sync() to decrement the usage counter, but this operation does not account for scenarios where autosuspend has already suspended the device and brought the usage count to zero. When pm_runtime_put_sync() executes on an already-suspended device with a zero usage count, it decrements the counter to -1, violating the invariant that pm_runtime reference counts must remain non-negative. CWE-191 classifies this as an integer underflow condition. The proper sequence is to call pm_runtime_dont_use_autosuspend() to disable autosuspend before final cleanup, allowing pm_runtime_disable() to correctly manage the reference count regardless of the current suspend state.

RemediationAI

Vendor-released patches are available in Linux stable branches 6.18.16, 6.19.6, and 7.0. Update the Linux kernel to any version equal to or newer than these patched releases. The fix involves replacing pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the wave5 driver's remove path to properly disable autosuspend before final cleanup, preventing the reference count underflow. For systems unable to immediately update, the primary mitigation is to avoid unloading the wave5 driver module, as the vulnerability only manifests during driver removal when autosuspend has previously suspended the device. This workaround trades convenience (persistent driver loading) for stability if kernel updates cannot be deployed immediately. No other compensating controls are practical, as the vulnerability is internal to kernel power management semantics. Patch commits are documented at the kernel stable tree references provided in the vendor advisory.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-43301 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy