Description
In the Linux kernel, the following vulnerability has been resolved:

media: v4l2-async: Fix error handling on steps after finding a match

Once an async connection is found to be matching with an fwnode, a
sub-device may be registered (in case it wasn't already), its bound
operation is called, ancillary links are created, the async connection
is added to the sub-device's list of connections and removed from the
global waiting connection list. Further on, the sub-device's possible own
notifier is searched for possible additional matches.

Fix these specific issues:

- If v4l2_async_match_notify() failed before the sub-notifier handling,
the async connection was unbound and its entry removed from the
sub-device's async connection list. The latter part was also done in
v4l2_async_match_notify().

- The async connection's sd field was only set after creating ancillary
links in v4l2_async_match_notify(). It was however dereferenced in
v4l2_async_unbind_subdev_one(), which was called on error path of
v4l2_async_match_notify() failure.
Published: 2026-05-06
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the Linux kernel’s media subsystem (v4l2‑async). It is triggered when an asynchronous device binding fails: the kernel may dereference an uninitialised or already freed pointer after the async connection is removed from the device’s list, causing a kernel page fault that typically crashes the system. This manifests as a denial‑of‑service. The weakness corresponds to CWE‑476 (Null Pointer Dereference).

Affected Systems

Any Linux kernel installation that contains the v4l2‑async code before the patch referenced in the advisory URLs is vulnerable. The flaw is present in the generic kernel as shipped to most distributions, and no explicit version range is cited in the CVE. Users running an unpatched kernel and using media drivers that invoke async binding are at risk.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while an EPSS score of less than 1% reflects a low probability of exploitation in the wild. The vulnerability is not recorded in the CISA KEV catalog. Attackers would need to trigger faulty async matching, typically by initiating media operations or by loading a media driver that performs asynchronous binding. With local or privileged access, this could cause a kernel crash that effectively denies service to all users on the machine. The fix is available in upstream kernel commits; updating to a kernel that contains those commits mitigates the risk.

Generated by OpenCVE AI on May 12, 2026 at 01:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that incorporates the v4l2‑async patch or apply the specific patch commits from the advisory URLs.
  • If the media subsystem is not required, remove or disable the relevant v4l2 media drivers so that asynchronous binding is never performed.
  • For custom kernels, configure the build to disable the v4l2‑async configuration option or adjust the media subsystem to avoid using async matching paths.

Generated by OpenCVE AI on May 12, 2026 at 01:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 07 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 06 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.
Title media: v4l2-async: Fix error handling on steps after finding a match
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:19:34.106Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T12:16:37.723

Modified: 2026-05-11T20:47:45.730

Link: CVE-2026-43189

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43189 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T01:30:04Z

Weaknesses