Skip to main content

Linux Kernel CVE-2026-52907

| EUVDEUVD-2026-35416 HIGH
Off-by-one Error (CWE-193)
2026-06-09 Linux GHSA-wc6w-h9jv-4f9w
7.8
CVSS 3.1 · Vendor: Linux
Share

Severity by source

Vendor (Linux) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
5.8 MEDIUM

Local access to a niche Rockchip V4L2 device node (AV:L, PR:L); reliable memory-corruption exploitation needs heap grooming (AC:H); kernel crash is likely (A:H) but C/I impact is unproven (L).

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H
4.0 AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from Vendor (Linux).

CVSS VectorVendor: Linux

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 14, 2026 - 06:39 vuln.today
CVSS changed
Jun 14, 2026 - 06:22 NVD
7.8 (HIGH)
Patch available
Jun 09, 2026 - 15:01 EUVD
CVE Published
Jun 09, 2026 - 12:36 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 09, 2026 - 12:36 cve.org
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: rockchip: rkcif: fix off by one bugs

Change these comparisons from > vs >= to avoid accessing one element beyond the end of the arrays. While at it, use ARRAY_SIZE instead of the _MAX enum values.

[fix cosmetic issues]

AnalysisAI

Out-of-bounds array access in the Linux kernel's Rockchip RKCIF camera interface driver (drivers/media/platform/rockchip/rkcif) allows a local low-privileged user to trigger memory corruption by reading one element past the end of internal arrays due to off-by-one comparison errors. Affects mainline Linux through 6.19 and is fixed in 7.0.4 and 7.1-rc1; no public exploit identified at time of analysis and EPSS exploitation probability is negligible (0.02%, 5th percentile).

Technical ContextAI

The Rockchip RKCIF driver provides V4L2 support for the Camera Interface IP block found on Rockchip SoCs (e.g., RK3399, RK3568, RK3588) used heavily in embedded and SBC devices. The defect is a classic off-by-one bounds check (CWE-193 class) where the code used a strictly-greater-than comparison instead of greater-than-or-equal against array length, permitting an index equal to the array size to be used as a valid offset. The upstream resolution both flips the comparison operator and replaces hard-coded _MAX enum sentinels with ARRAY_SIZE() to keep the bound tied to the actual storage, eliminating the drift risk. CPE coverage (cpe:2.3:a:linux:linux) is broad and version-unbounded, reflecting that the buggy code shipped in mainline media subsystem builds.

RemediationAI

Vendor-released patch: upgrade to Linux 7.0.4, 7.1-rc1, or any later mainline/stable release containing the rkcif off-by-one fixes (commits e4056b84af0fc18c84b4e5741df04ecd8ca17973 and 73e119036b3a799170ed89907b4273c07306d611 at https://git.kernel.org/stable/c/e4056b84af0fc18c84b4e5741df04ecd8ca17973 and https://git.kernel.org/stable/c/73e119036b3a799170ed89907b4273c07306d611). Distribution kernels should pick up backports through standard stable updates; verify with uname -r and the distro's CVE tracker. If you cannot patch immediately on affected Rockchip-based devices, restrict access to /dev/video* nodes by tightening the 'video' group membership and udev rules so only trusted services can open the rkcif device (trade-off: legitimate camera/V4L2 userspace such as gstreamer pipelines on that user will break), or blacklist the rockchip-cif module via /etc/modprobe.d if the camera capture path is unused (trade-off: any onboard camera or ISP pipeline relying on it will stop functioning).

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected
SUSE Linux Enterprise High Availability Extension 15 SP7 Not-Affected

Share

CVE-2026-52907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy