Skip to main content

Linux Kernel EUVDEUVD-2026-28600

| CVE-2026-43316 MEDIUM
2026-05-08 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-xw5q-w7ff-jgm4
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 21:00 vuln.today
CVSS changed
May 15, 2026 - 18:37 NVD
5.5 (MEDIUM)
Patch available
May 08, 2026 - 15:02 EUVD
CVE Published
May 08, 2026 - 14:16 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: solo6x10: Check for out of bounds chip_id

Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on), but we can avoid the entire problem by actually checking the existing max chip ID, and now there is no runtime instrumentation added at all since everything is known to be within bounds.

Additionally use an unsigned value for the shift to remove the instrumentation even without the explicit bounds checking.

[hverkuil: fix checkpatch warning for is_tw286x]

AnalysisAI

An out-of-bounds shift operation in the Linux kernel's solo6x10 media driver causes a local denial of service. Affects Linux kernel versions from the initial commit through 7.0-rc3, with patches available in stable versions 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, and 7.0. The flaw, triggered by improper chip_id bounds checking, causes Clang's undefined behavior sanitizer to instrument code that can lead to system instability when exploited by low-privileged local users. EPSS exploitation probability is 0.02% (7th percentile), indicating minimal widespread threat. Vendor-released patches address the issue by adding explicit bounds validation and using unsigned shift operations.

Technical ContextAI

This vulnerability exists in the solo6x10 video capture driver within the Linux kernel's media subsystem. The flaw involves an unsafe shift operation on a signed integer ('int' literal '1') that, when combined with an unchecked chip_id parameter, can result in shifting beyond 32 bits-undefined behavior per the C standard. When compiled with Clang and CONFIG_UBSAN_SHIFT=y (Undefined Behavior Sanitizer for shift operations), the compiler adds runtime instrumentation. Due to inlining of the is_tw286x() function and Clang's optimization assumptions, the second call appears to the compiler as guaranteed undefined behavior, causing the optimizer to elide subsequent code. The fix introduces explicit bounds checking against the maximum chip ID and changes the shift operand to unsigned, preventing both the undefined behavior and the need for sanitizer instrumentation. This is a code-quality issue specific to the interaction between compiler optimizations, sanitizer instrumentation, and driver logic, rather than a traditional memory corruption vulnerability.

RemediationAI

Upgrade to patched Linux kernel versions: 5.10.252, 5.15.202, 6.1.165, 6.6.128, 6.12.75, 6.18.16, 6.19.6, or 7.0 and later. Patches are available through standard distribution update channels and directly from kernel.org stable branches (commit references: 0b3dadada241, 603e3859393e, d29f33b2cf98, 0fdf6323c35a, 4d6db0c6bbbf, 33af366211ee, c327192ca266, 5849ae68d7b8). Organizations can verify patch application by checking for the added chip_id bounds validation in drivers/media/pci/solo6x10/solo6x10-core.c. If immediate patching is not feasible, compensating controls include: disabling the solo6x10 driver module via blacklist (add 'blacklist solo6x10' to /etc/modprobe.d/blacklist.conf) if the associated Bluecherry/Softlogic video capture hardware is not in use-this eliminates attack surface entirely with no functional impact on systems without this specific hardware. For systems requiring the driver, restrict local user access through mandatory access controls (SELinux/AppArmor policies) to prevent untrusted local users from triggering driver code paths. Note that disabling the driver may impact video capture functionality for dependent applications. Kernel recompilation without CONFIG_UBSAN_SHIFT reduces symptom severity but does not address the underlying bounds-checking deficiency.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-28600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy