CVE-2026-43146 - Vulnerability Details

- media: iris: Add buffer to list only after successful allocation

Description

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Add buffer to list only after successful allocation

Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating
internal buffers. Previously, the buffer was enqueued in `buffers->list`
before the DMA allocation. If the allocation failed, the function returned
`-ENOMEM` while leaving a partially initialized buffer in the list, which
could lead to inconsistent state and potential leaks.

By adding the buffer to the list only after `dma_alloc_attrs()` succeeds,
we ensure the list contains only valid, fully initialized buffers.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Linux kernel media subsystem allows a partially initialized buffer to be added to the internal buffers list even when its DMA allocation fails. The buffer remains in the list in a corrupted state, and any later code that traverses this list may operate on invalid data, potentially leading to data leaks or a kernel crash. This is a classic instance of partial initialization of kernel memory that can be exploited for improper use of pointers (CWE‑908, NVD-CWE-noinfo).

Affected Systems

All Linux kernel distributions that include the media:iris component and have not applied the patch that moves the list addition after a successful DMA allocation are affected. The commit fixing the issue was merged into the kernel source in early 2026, so any kernel releases before that point remain vulnerable.

Risk and Exploitability

The likely attack vector is local or privileged execution that triggers the media subsystem’s DMA allocation routine. Because the defect exists in kernel code, remote exploitation would first require elevated privileges. The EPSS score is < 1% and the CVSS score is 5.5, and the vulnerability is not listed in the CISA KEV catalog, indicating no documented exploitation. The overall risk is moderate: a local condition that forces the dirty list item into use can cause a kernel panic, resulting in a denial of service for the affected system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`73702f45db81b74897b2808aaa13484826156006`	affected	< 45b30f65feeb4d5570d5337793bb0f298be813d2
`73702f45db81b74897b2808aaa13484826156006`	affected	< 98b4c4c90f1e11caecbe2093dbe3a901d338bc81
`73702f45db81b74897b2808aaa13484826156006`	affected	< 2d0bbd982dfdd67da488a772f7a8a1bdca7642bf

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[73702f45db81b74897b2808aaa13484826156006,45b30f65feeb4d5570d5337793bb0f298be813d2)`	affected	code_commit	—
`[73702f45db81b74897b2808aaa13484826156006,98b4c4c90f1e11caecbe2093dbe3a901d338bc81)`	affected	code_commit	—
`[73702f45db81b74897b2808aaa13484826156006,2d0bbd982dfdd67da488a772f7a8a1bdca7642bf)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	generic	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the fix moving the list addition after successful dma_alloc_attrs.
For kernels that are custom‑built or cannot be upgraded, manually apply the source change—move the list_add_tail() call to after dma_alloc_attrs() succeeds in the media:iris implementation—and rebuild the kernel.
After applying the patch or recompilation, reboot the system or reload the affected module so that the corrected code is active.

Generated by OpenCVE AI on May 13, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2d0bbd982dfdd67da488a772f7a8a1bdca7642bf
https://git.kernel.org/stable/c/45b30f65feeb4d5570d5337793bb0f298be813d2
https://git.kernel.org/stable/c/98b4c4c90f1e11caecbe2093dbe3a901d338bc81
https://lore.kernel.org/linux-cve-announce/2026050626-CVE-2026-43146-c0ee@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43146
https://www.cve.org/CVERecord?id=CVE-2026-43146

History

Wed, 13 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-457

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-908
References		https://lore.kernel.org/linux-cve-announce/2026050626-CVE-2026-43146-c0ee@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43146 https://www.cve.org/CVERecord?id=CVE-2026-43146

Wed, 06 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-457

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: iris: Add buffer to list only after successful allocation Move `list_add_tail()` to after `dma_alloc_attrs()` succeeds when creating internal buffers. Previously, the buffer was enqueued in `buffers->list` before the DMA allocation. If the allocation failed, the function returned `-ENOMEM` while leaving a partially initialized buffer in the list, which could lead to inconsistent state and potential leaks. By adding the buffer to the list only after `dma_alloc_attrs()` succeeds, we ensure the list contains only valid, fully initialized buffers.
Title		media: iris: Add buffer to list only after successful allocation
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2d0bbd982dfdd67da488a772f7a8a1bdca7642bf https://git.kernel.org/stable/c/45b30f65feeb4d5570d5337793bb0f298be813d2 https://git.kernel.org/stable/c/98b4c4c90f1e11caecbe2093dbe3a901d338bc81

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:29.562Z

Updated: 2026-05-11T22:18:39.117Z

Reserved: 2026-05-01T14:12:55.989Z

Link: CVE-2026-43146

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:32.127

Modified: 2026-05-13T20:19:38.283

Link: CVE-2026-43146

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43146 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-13T22:00:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object