CVE-2026-43222 - Vulnerability Details

- media: verisilicon: AV1: Fix tile info buffer size

Description

In the Linux kernel, the following vulnerability has been resolved:

media: verisilicon: AV1: Fix tile info buffer size

Each tile info is composed of: row_sb, col_sb, start_pos
and end_pos (4 bytes each). So the total required memory
is AV1_MAX_TILES * 16 bytes.
Use the correct #define to allocate the buffer and avoid
writing tile info in non-allocated memory.

Published: 2026-05-06

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel AV1 decoder incorrectly calculates the buffer size for tile information, allocating less memory than required. Each tile should account for 16 bytes of metadata, yet the wrong constant led to writes beyond the allocated buffer. This kernel memory corruption can overwrite critical data structures, potentially allowing an attacker to execute arbitrary code with kernel privileges or induce system instability. This is a buffer overflow flaw classified as CWE-131.

Affected Systems

The vulnerability is present in the Linux kernel media subsystem’s AV1 decoder whenever the affected kernel source is used. All distributions shipping a kernel build that has not applied the buffer‑size fix are potentially impacted. No specific kernel version range is listed in the advisory, so any kernel compiled from the unpatched code contains the flaw.

Risk and Exploitability

Buffer overflows in kernel space pose a high-security risk because they can give an attacker elevated privileges. The vulnerability requires exploitation in a kernel context; no network‑exposed trigger or publicly available exploit is documented. The CVSS score of 7.8 indicates a high severity, while the EPSS score of < 1% indicates a very low current exploitation probability. The issue is not listed in CISA's KEV catalog, which suggests that widespread exploitation has not yet been observed. The likely attack vector is inferred to be local privileged or compromised kernel access, as the flaw does not expose a remote entry point in the current description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`727a400686a2c0d25015c9e44916a59b72882f83`	affected	< a5b1ddbe31f49b4da78642157589970e9b60a231
`727a400686a2c0d25015c9e44916a59b72882f83`	affected	< 34f36f9c6114af781a5a4f7a7c99334c85b73fc7
`727a400686a2c0d25015c9e44916a59b72882f83`	affected	< f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4
`727a400686a2c0d25015c9e44916a59b72882f83`	affected	< 74abfadd7ef5ac9f3a6111d550cc651d1457c641
`727a400686a2c0d25015c9e44916a59b72882f83`	affected	< a505ca2db89ad92a8d8d27fa68ebafb12e04a679

Linux

affected

Version	Status	Constraints
`6.5`	affected	—
`0`	unaffected	< 6.5
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[727a400686a2c0d25015c9e44916a59b72882f83,a5b1ddbe31f49b4da78642157589970e9b60a231)`	affected	code_commit	—
`[727a400686a2c0d25015c9e44916a59b72882f83,34f36f9c6114af781a5a4f7a7c99334c85b73fc7)`	affected	code_commit	—
`[727a400686a2c0d25015c9e44916a59b72882f83,f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4)`	affected	code_commit	—
`[727a400686a2c0d25015c9e44916a59b72882f83,74abfadd7ef5ac9f3a6111d550cc651d1457c641)`	affected	code_commit	—
`[727a400686a2c0d25015c9e44916a59b72882f83,a505ca2db89ad92a8d8d27fa68ebafb12e04a679)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.5`	affected	semver	—
`[0,6.5)`	unaffected	semver	—
`[6.6.128,7.0.0)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the kernel to a release that includes the AV1 decoder buffer size fix.
Reboot the system after upgrading the kernel to ensure the patched code is loaded.
If a kernel upgrade cannot be performed immediately, disable or remove the AV1 media driver from the system to eliminate the vulnerable code path.

Generated by OpenCVE AI on May 8, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7
https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641
https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679
https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231
https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4
https://lore.kernel.org/linux-cve-announce/2026050653-CVE-2026-43222-3676@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43222
https://www.cve.org/CVERecord?id=CVE-2026-43222

History

Fri, 08 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Fri, 08 May 2026 13:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Thu, 07 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-131
References		https://lore.kernel.org/linux-cve-announce/2026050653-CVE-2026-43222-3676@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43222 https://www.cve.org/CVERecord?id=CVE-2026-43222

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buffer size Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory.
Title		media: verisilicon: AV1: Fix tile info buffer size
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7 https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641 https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679 https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231 https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:22.291Z

Updated: 2026-05-11T22:20:21.954Z

Reserved: 2026-05-01T14:12:55.994Z

Link: CVE-2026-43222

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:41.900

Modified: 2026-05-08T21:12:57.527

Link: CVE-2026-43222

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43222 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object