CVE-2026-43217 - Vulnerability Details

- media: iris: gen2: Add sanity check for session stop

Description

In the Linux kernel, the following vulnerability has been resolved:

media: iris: gen2: Add sanity check for session stop

In iris_kill_session, inst->state is set to IRIS_INST_ERROR and
session_close is executed, which will kfree(inst_hfi_gen2->packet).
If stop_streaming is called afterward, it will cause a crash.

Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet
to firmware to fix that.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel media driver for Iris Gen2 contains a flaw in the session termination routine. When a session is killed, the driver frees the packet buffer and later, if a stop command is issued, it attempts to use the freed pointer to send a STOP packet to the firmware. This dereference of a freed memory area causes a kernel panic and a full system crash. The vulnerability aligns with CWE-401 and CWE-825.

Affected Systems

All Linux kernel builds that include the upstream media:iris gen2 driver before the NULL‑check commit are vulnerable. The vendor list in the CVE cites the core Linux kernel, so any distribution kernel that ships this driver and has Iris hardware present is at risk until the patch is applied. Specific kernel versions are not enumerated in the advisory, so the safest assumption is that any kernel containing the unmitigated driver could be affected.

Risk and Exploitability

The vulnerability requires local interaction with the iris driver, typically through ioctl calls or user‑space applications that exercise session control. A local attacker or a compromised privileged process can trigger the crash by issuing a session stop after the session has been killed. EPSS score of < 1% indicates a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog, but the potential for a kernel panic represents a high‑risk denial‑of‑service condition for affected systems. The CVSS score for this vulnerability is 5.5.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`11712ce70f8e52fc94365b48ee15aec806b02422`	affected	< 72846441c5f6396de9face04e77fa3d28e9915b6
`11712ce70f8e52fc94365b48ee15aec806b02422`	affected	< 75992ba43072674fd4767df62a1fe2048565cc60
`11712ce70f8e52fc94365b48ee15aec806b02422`	affected	< 9aa8d63d09cfc44d879427cc5ba308012ca4ab8e

Linux

affected

Version	Status	Constraints
`6.15`	affected	—
`0`	unaffected	< 6.15
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[11712ce70f8e52fc94365b48ee15aec806b02422,72846441c5f6396de9face04e77fa3d28e9915b6)`	affected	code_commit	—
`[11712ce70f8e52fc94365b48ee15aec806b02422,75992ba43072674fd4767df62a1fe2048565cc60)`	affected	code_commit	—
`[11712ce70f8e52fc94365b48ee15aec806b02422,9aa8d63d09cfc44d879427cc5ba308012ca4ab8e)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.15`	affected	generic	—
`[0,6.15)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a kernel update that incorporates the NULL‑check commit for inst_hfi_gen2->packet in iris_kill_session.
If updating is not possible, unload or blacklist the iris kernel module and remove the associated device nodes to prevent the driver from loading.
Restrict access to the iris device files by setting strict udev rules or changing ownership rather than allowing the device to be accessed by untrusted users.

Generated by OpenCVE AI on May 11, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/72846441c5f6396de9face04e77fa3d28e9915b6
https://git.kernel.org/stable/c/75992ba43072674fd4767df62a1fe2048565cc60
https://git.kernel.org/stable/c/9aa8d63d09cfc44d879427cc5ba308012ca4ab8e
https://lore.kernel.org/linux-cve-announce/2026050651-CVE-2026-43217-735d@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43217
https://www.cve.org/CVERecord?id=CVE-2026-43217

History

Mon, 11 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Thu, 07 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-476

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://lore.kernel.org/linux-cve-announce/2026050651-CVE-2026-43217-735d@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43217 https://www.cve.org/CVERecord?id=CVE-2026-43217

Wed, 06 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416 CWE-476

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: iris: gen2: Add sanity check for session stop In iris_kill_session, inst->state is set to IRIS_INST_ERROR and session_close is executed, which will kfree(inst_hfi_gen2->packet). If stop_streaming is called afterward, it will cause a crash. Add a NULL check for inst_hfi_gen2->packet before sendling STOP packet to firmware to fix that.
Title		media: iris: gen2: Add sanity check for session stop
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/72846441c5f6396de9face04e77fa3d28e9915b6 https://git.kernel.org/stable/c/75992ba43072674fd4767df62a1fe2048565cc60 https://git.kernel.org/stable/c/9aa8d63d09cfc44d879427cc5ba308012ca4ab8e

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:18.922Z

Updated: 2026-05-11T22:20:16.065Z

Reserved: 2026-05-01T14:12:55.993Z

Link: CVE-2026-43217

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:41.300

Modified: 2026-05-11T19:27:49.807

Link: CVE-2026-43217

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43217 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T21:30:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object