CVE-2026-43189 - Vulnerability Details

- media: v4l2-async: Fix error handling on steps after finding a match

Description

In the Linux kernel, the following vulnerability has been resolved:

media: v4l2-async: Fix error handling on steps after finding a match

Once an async connection is found to be matching with an fwnode, a
sub-device may be registered (in case it wasn't already), its bound
operation is called, ancillary links are created, the async connection
is added to the sub-device's list of connections and removed from the
global waiting connection list. Further on, the sub-device's possible own
notifier is searched for possible additional matches.

Fix these specific issues:

- If v4l2_async_match_notify() failed before the sub-notifier handling,
the async connection was unbound and its entry removed from the
sub-device's async connection list. The latter part was also done in
v4l2_async_match_notify().

- The async connection's sd field was only set after creating ancillary
links in v4l2_async_match_notify(). It was however dereferenced in
v4l2_async_unbind_subdev_one(), which was called on error path of
v4l2_async_match_notify() failure.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw lies in the Linux kernel media subsystem where asynchronous connections are bound to hardware devices. When an async connection matches a firmware node and the sub-device is registered, a failure in the notification logic can leave the async connection in an inconsistent state. The implementation may dereference an uninitialized or stale kernel pointer, which can cause a kernel crash or potentially provide a foothold for arbitrary memory corruption. The documented updates address the possibility of dereferencing a non‑initialized field and incorrectly removing entries from connection lists on error paths.

Affected Systems

All running Linux kernels that ship the upstream media v4l2‑async code before the patch. The specific affected kernel versions are not enumerated in the advisory, but any distribution using a kernel build prior to the commit cited in the reference URLs would be vulnerable.

Risk and Exploitability

Because the advisory does not provide a CVSS or EPSS score, the precise exploitability is unknown. However, the vulnerability’s root cause is a kernel pointer dereference that can lead to a kernel panic. The attack vector likely requires the ability to cause a failed async match, which implies either a local user with access to the media subsystem or a compromised device driver. The KEV status is not listed, indicating no known widespread exploitation instances.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 30aaed311f973f13ba13a0cd2dc0202f595fff48
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 461733d83e67ba7e3a5b750c0d203f738e01244f
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< b02bcb378efa8af07827f49b3afcc5e825318c55
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 2de0a3c8148fc3dbea21981e6569f550b3626119
`1da177e4c3f41524e886b7f1b8a0c1fc7321cac2`	affected	< 7345d6d356336c448d6b9230ed8704f39679fd12

Linux

affected

Version	Status	Constraints
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,30aaed311f973f13ba13a0cd2dc0202f595fff48)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,461733d83e67ba7e3a5b750c0d203f738e01244f)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,b02bcb378efa8af07827f49b3afcc5e825318c55)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,2de0a3c8148fc3dbea21981e6569f550b3626119)`	affected	code_commit	—
`[1da177e4c3f41524e886b7f1b8a0c1fc7321cac2,7345d6d356336c448d6b9230ed8704f39679fd12)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6.6.128,6.6.*]`	unaffected	semver	—
`[6.12.75,6.12.*]`	unaffected	semver	—
`[6.18.16,6.18.*]`	unaffected	semver	—
`[6.19.6,6.19.*]`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest kernel update that incorporates the v4l2‑async patch
Temporarily disable or remove unused media devices that may trigger async connections
If running a custom kernel, re‑configure the media subsystem to use safer async handling or disable the async matching feature where not needed

Generated by OpenCVE AI on May 6, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119
https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48
https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f
https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12
https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55

History

Wed, 06 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: v4l2-async: Fix error handling on steps after finding a match Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches. Fix these specific issues: - If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify(). - The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.
Title		media: v4l2-async: Fix error handling on steps after finding a match
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119 https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48 https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12 https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:27:59.108Z

Updated: 2026-05-06T11:27:59.108Z

Reserved: 2026-05-01T14:12:55.992Z

Link: CVE-2026-43189

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:37.723

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43189

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T16:30:06Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object