CVE-2026-43207 - Vulnerability Details

- media: mtk-mdp: Fix error handling in probe function

Description

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-mdp: Fix error handling in probe function

Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent
resource leak.

Add check for the return value of vpu_get_plat_device() to prevent null
pointer dereference. And vpu_get_plat_device() increases the reference
count of the returned platform device. Add platform_device_put() to
prevent reference leak.

Published: 2026-05-06

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel MediaTek MDP driver contains an error handling flaw in its probe routine that allows a null pointer dereference and insufficient cleanup of platform devices. When the driver attempts to retrieve a platform device via vpu_get_plat_device() and the return value violates the expected contract, the kernel may access a null pointer, leading to a crash. The added call to mtk_mdp_unregister_m2m_device() on the error path and the insertion of platform_device_put() aim to eliminate resource leaks that could otherwise accumulate reference counts. Based on the description, the likely attack vector requires privilege to load or trigger the malformed probe routine—most likely a local user or administrator who can load kernel modules or influence device enumeration. The primary impact is a denial of service, as a single failed probe can bring down the kernel, and in some scenarios, this crash could be leveraged for privilege escalation if the system is not rebooted securely. At the time of analysis, no CVSS score is publicly available, and EPSS is not provided. The vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known exploitation. However, because the issue resides in kernel code, the potential for a local privilege escalation or fork‑jail escape is elevated. The risk can be considered moderate to high for systems that run the driver without the applied fix and support untrusted users performing module load operations.

Affected Systems

The vulnerability affects the Linux kernel, specifically the MediaTek MDP (mtk-mdp) driver. The kernel's probe failure and resource management bugs are present in all kernel versions before the patch commits referenced; exact affected kernel releases are not enumerated.

Risk and Exploitability

At the time of analysis, no CVSS score is publicly available, and EPSS is not provided. The vulnerability is not listed in the CISA KEV catalog, suggesting limited or no known exploitation. However, because the issue resides in kernel code, the potential for a local privilege escalation or fork‑jail escape is elevated. The risk can be considered moderate to high for systems that run the driver without the applied fix and support untrusted users performing module load operations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 9d9c67976eda502edc6b3a148a1c5b6a18b69a98
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 0bc43eaf021347f8d5aba87712c36b799695eec6
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 12cafc15d24611bfb43c82877b1bbb7454a85d5a
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< c8737d33d4e8ffae87e5d5edac17f8a705235cc2
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< b3fc99fe5b25613dd61c57bc70b8479adff4f60d
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 2e8f53a7382943411557e370f1a4f3946624a30e
`c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a`	affected	< 8a8a3232abac5b972058a5f2cb3e33199d2a8648

Linux

affected

Version	Status	Constraints
`4.10`	affected	—
`0`	unaffected	< 4.10
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,9d9c67976eda502edc6b3a148a1c5b6a18b69a98)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,0bc43eaf021347f8d5aba87712c36b799695eec6)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,2e8f53a7382943411557e370f1a4f3946624a30e)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,8a8a3232abac5b972058a5f2cb3e33199d2a8648)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,b3fc99fe5b25613dd61c57bc70b8479adff4f60d)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,12cafc15d24611bfb43c82877b1bbb7454a85d5a)`	affected	code_commit	['*']
`[c8eb2d7e8202fd9cb912f5d33cc34ede66dcb24a,c8737d33d4e8ffae87e5d5edac17f8a705235cc2)`	affected	code_commit	['*']

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`4.10.0`	affected	semver	['*']
`[0,4.10.0)`	unaffected	semver	['*']
`[5.10.252,5.11.0)`	unaffected	semver	['*']
`[5.15.202,5.16.0)`	unaffected	semver	['*']
`[6.1.165,6.2.0)`	unaffected	semver	['*']
`[6.6.128,6.7.0)`	unaffected	semver	['*']
`[6.12.75,6.13.0)`	unaffected	semver	['*']
`[6.18.16,6.19.0)`	unaffected	semver	['*']
`[6.19.6,7.0.0)`	unaffected	semver	['*']
`[7.0,*]`	unaffected	generic	['*']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that includes the mtk-mdp probe error handling fixes (commits 0bc43eaf0 and related patches).
If updating is not immediately possible, disable or blacklist the MediaTek MDP driver to prevent it from loading.
Restrict kernel module loading rights to privileged users only and monitor for any attempts to load the MDP driver on untrusted systems.

Generated by OpenCVE AI on May 6, 2026 at 15:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6
https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a
https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e
https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648
https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b
https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98
https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d
https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2

History

Wed, 06 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476 CWE-567

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.
Title		media: mtk-mdp: Fix error handling in probe function
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0bc43eaf021347f8d5aba87712c36b799695eec6 https://git.kernel.org/stable/c/12cafc15d24611bfb43c82877b1bbb7454a85d5a https://git.kernel.org/stable/c/2e8f53a7382943411557e370f1a4f3946624a30e https://git.kernel.org/stable/c/8a8a3232abac5b972058a5f2cb3e33199d2a8648 https://git.kernel.org/stable/c/9d7962d5c81d6cf3f8dbdb5c71c57600bac5772b https://git.kernel.org/stable/c/9d9c67976eda502edc6b3a148a1c5b6a18b69a98 https://git.kernel.org/stable/c/b3fc99fe5b25613dd61c57bc70b8479adff4f60d https://git.kernel.org/stable/c/c8737d33d4e8ffae87e5d5edac17f8a705235cc2

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:11.601Z

Updated: 2026-05-06T11:28:11.601Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43207

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-06T12:16:40.037

Modified: 2026-05-06T13:07:51.607

Link: CVE-2026-43207

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-06T17:30:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object