Skip to main content

Linux Kernel CVE-2026-46222

| EUVDEUVD-2026-32849 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-wprv-4wq2-c8jp
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local low-privilege ioctl triggers kernel crash with no confidentiality or integrity impact; AV:L and PR:L confirmed by hardware-specific, authenticated-user attack path.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 10, 2026 - 21:16 vuln.today
CVSS changed
Jun 10, 2026 - 19:07 NVD
5.5 (MEDIUM)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
MEDIUM 5.5
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads

The pads missed checks for connected devices which may a null dereference when the stream is enabled.

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace: rkcif_interface_enable_streams+0x48/0xf0 v4l2_subdev_enable_streams+0x26c/0x3f0 rkcif_stream_start_streaming+0x140/0x278 vb2_start_streaming+0x74/0x188 vb2_core_streamon+0xe0/0x1d8 vb2_ioctl_streamon+0x60/0xa8 v4l_streamon+0x2c/0x40 __video_do_ioctl+0x34c/0x400 video_usercopy+0x2d0/0x800 video_ioctl2+0x20/0x60 v4l2_ioctl+0x48/0x78

AnalysisAI

NULL pointer dereference in the Linux kernel's Rockchip RKCIF (Camera Interface) media driver crashes the kernel when a local user enables streaming on a video device with no connected subdevice. Affected systems are Rockchip SoC-based platforms running Linux kernel versions from the introduction of the rkcif driver up through 6.19. A low-privileged local attacker can trigger a kernel panic - full denial of service - via the standard V4L2 VIDIOC_STREAMON ioctl. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.02% (5th percentile) reflects the narrow hardware-specific attack surface.

Technical ContextAI

The vulnerability resides in drivers/media/platform/rockchip/cif/ within the V4L2 (Video4Linux2) media subsystem of the Linux kernel (CPE: cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*). The Rockchip RKCIF driver implements a media controller pipeline where media pads connect the camera sensor subdevice to the DMA engine. The MUST_CONNECT flag on a media pad instructs the kernel's media framework to enforce that a subdevice link is established before streaming is permitted; without it, no such validation occurs. CWE-476 (NULL Pointer Dereference) is the root cause: when rkcif_interface_enable_streams() is called during VIDIOC_STREAMON processing, it dereferences a pointer to the remote pad's subdevice at offset 0x20 without checking for NULL, crashing at virtual address 0000000000000020 as shown in the call trace. This is a purely availability-impacting kernel crash with no data exfiltration component.

RemediationAI

The primary fix is to upgrade to Linux kernel 7.0.9 (stable) or 7.1-rc1 or later, which include the commits that add the missing MUST_CONNECT flag to the rkcif media pads. Patch commits can be verified at https://git.kernel.org/stable/c/318142640590342bfec7aa06d0bdcd0ddbf953d0 and https://git.kernel.org/stable/c/8e3c751259dc2d1325838eff26f41032523c7b57. For systems that cannot be immediately upgraded, a compensating control is to restrict access to V4L2 device nodes (e.g., /dev/video*) using udev rules or Linux DAC/MAC controls (SELinux, AppArmor) so that only trusted processes or the camera daemon can issue ioctls - this limits the exploitable attack surface without disabling the driver entirely. Removing or blacklisting the rkcif kernel module (modprobe.d blacklist) is a more aggressive workaround that fully eliminates the attack surface at the cost of losing camera functionality. Distributions shipping kernels for Rockchip platforms (e.g., Armbian, Manjaro ARM) should be consulted for platform-specific backport status.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-46222 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy