Skip to main content

Linux Kernel EUVDEUVD-2026-27708

| CVE-2026-43146 MEDIUM
2026-05-06 Linux GHSA-26jf-v4w3-xhqx
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 11:17 vuln.today
CVSS changed
May 13, 2026 - 20:22 NVD
5.5 (MEDIUM)
Patch available
May 06, 2026 - 13:32 EUVD
CVE Published
May 06, 2026 - 11:27 nvd
MEDIUM 5.5

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Add buffer to list only after successful allocation

Move list_add_tail() to after dma_alloc_attrs() succeeds when creating internal buffers. Previously, the buffer was enqueued in buffers->list before the DMA allocation. If the allocation failed, the function returned -ENOMEM while leaving a partially initialized buffer in the list, which could lead to inconsistent state and potential leaks.

By adding the buffer to the list only after dma_alloc_attrs() succeeds, we ensure the list contains only valid, fully initialized buffers.

AnalysisAI

Denial of service in the Linux kernel's iris media driver results from improper error-path handling during internal buffer allocation. When DMA allocation via dma_alloc_attrs() fails, a partially initialized buffer that was prematurely added to the internal buffers->list remains in that list, leading to inconsistent kernel state and potential resource leaks or NULL-pointer dereferences on subsequent access. Affected systems running Linux 6.15 through pre-patch versions of 6.18 and 6.19 with the iris media subsystem active are at risk; no public exploit has been identified and EPSS is 0.02%, indicating low exploitation probability at time of analysis.

Technical ContextAI

The iris driver is part of the Linux kernel's V4L2 media subsystem (drivers/media/platform/qcom/iris), used for Qualcomm hardware video encode/decode acceleration. The vulnerability resides in the buffer management logic for internal DMA buffers. The function list_add_tail() was called to enqueue a buffer struct into buffers->list before dma_alloc_attrs() was invoked to back that buffer with actual DMA-coherent memory. On allocation failure, the function returned -ENOMEM, but the list node remained in the linked list pointing to a struct with uninitialized or zeroed DMA fields. Any subsequent kernel code iterating that list and dereferencing the DMA address or virtual pointer of that buffer would encounter invalid memory, potentially triggering a kernel panic or use-after-free-equivalent condition. CPE data identifies the affected product as cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* and the vulnerability was introduced at commit 73702f45db81b74897b2808aaa13484826156006. CWE is not formally assigned, but the root cause class is improper cleanup on error path (closest to CWE-459: Incomplete Cleanup or CWE-754: Improper Check for Exceptional Conditions).

RemediationAI

The upstream fix is available in Linux stable releases 6.18.16 and 6.19.6, with the change also merged into the 7.0 mainline. Administrators should upgrade the kernel to one of these patched versions; the specific fix commits for cherry-picking are 45b30f65feeb4d5570d5337793bb0f298be813d2, 98b4c4c90f1e11caecbe2093dbe3a901d338bc81, and 2d0bbd982dfdd67da488a772f7a8a1bdca7642bf, all accessible at git.kernel.org/stable. For Red Hat and SUSE deployments, monitor vendor security portals for patched kernel packages. As a compensating control on systems where immediate kernel upgrade is not feasible, administrators can restrict access to iris media device nodes by tightening udev rules or removing users from the 'video' group, which limits who can interact with the driver and trigger the vulnerable code path. Blacklisting the iris kernel module (modprobe.d blacklist) on systems not using Qualcomm video acceleration entirely removes exposure with no functional trade-off on non-Qualcomm hardware.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-27708 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy