CVE-2026-43246 - Vulnerability Details

- media: i2c/tw9906: Fix potential memory leak in tw9906_probe()

Description

In the Linux kernel, the following vulnerability has been resolved:

media: i2c/tw9906: Fix potential memory leak in tw9906_probe()

In one of the error paths in tw9906_probe(), the memory allocated in
v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that
by calling v4l2_ctrl_handler_free() on the handler in that error path.

Published: 2026-05-06

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Linux kernel media driver for the TW9906 I2C device contains a memory leak triggered when the probe function follows an error path. In that path, memory allocated by v4l2_ctrl_handler_init and v4l2_ctrl_new_std is not released because v4l2_ctrl_handler_free is omitted. This flaw corresponds to CWE-401 and CWE-772. If repeatedly triggered, the leak can exhaust system memory, leading to a denial‑of‑service condition. The CVSS score of 5.5 reflects moderate risk for local impact.

Affected Systems

The vulnerability is present in the tw9906 driver within the Linux kernel media subsystem. No specific kernel version is listed in the advisory, so any Linux kernel build that includes the unpatched driver is affected. The flaw resides in all distributions that ship the kernel with the incremental driver before the commit that adds the missing cleanup.

Risk and Exploitability

Based on the description, it is inferred that the attack vector requires the attacker to trigger the probe routine, which typically occurs when the TW9906 device is attached or when the kernel module is loaded. Therefore, an attacker with local privileges or the ability to present a malicious I2C device could force the driver into the error path repeatedly. The EPSS score of <1% indicates a low likelihood of exploitation, and the flaw is not listed in the CISA KEV catalog, so it is currently not known to be actively exploited. However, the moderate CVSS score warrants monitoring and planning for potential service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< e9a490937942f18205dac7b6b192975ef1369ae1
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< 9548a8bbf511a252a9848f96220c6b95c9a3b918
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< 0c33338514d8246280533a77091e6b6ee548c606
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< ccb92def042a3636ed47f25a30bd553788e5191e
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< fb09d8b80046216646f1a344410cfa9cfa6c6c7c
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< 377a7756914364d72550fc86ca0f404ef1d96141
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< 59420d5d9c46b084e21f9ea6ce79fc79ae9e414c
`a000e9a02b5885b1b69f691c80e346d102f94a88`	affected	< cad237b6c875fbee5d353a2b289e98d240d17ec8

Linux

affected

Version	Status	Constraints
`3.10`	affected	—
`0`	unaffected	< 3.10
`5.10.252`	unaffected	≤ 5.10.*
`5.15.202`	unaffected	≤ 5.15.*
`6.1.165`	unaffected	≤ 6.1.*
`6.6.128`	unaffected	≤ 6.6.*
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[a000e9a02b5885b1b69f691c80e346d102f94a88,e9a490937942f18205dac7b6b192975ef1369ae1)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,9548a8bbf511a252a9848f96220c6b95c9a3b918)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,0c33338514d8246280533a77091e6b6ee548c606)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,377a7756914364d72550fc86ca0f404ef1d96141)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,59420d5d9c46b084e21f9ea6ce79fc79ae9e414c)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,cad237b6c875fbee5d353a2b289e98d240d17ec8)`	affected	code_commit	['*']
`[a000e9a02b5885b1b69f691c80e346d102f94a88,fb09d8b80046216646f1a344410cfa9cfa6c6c7c)`	affected	code_commit	['*']

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`3.10`	affected	semver	['*']
`[0,3.10)`	unaffected	semver	['*']
`[5.10.252,5.11.0)`	unaffected	semver	['*']
`[5.15.202,5.16.0)`	unaffected	semver	['*']
`[6.1.165,6.2.0)`	unaffected	semver	['*']
`[6.6.128,6.7.0)`	unaffected	semver	['*']
`[6.12.75,6.13.0)`	unaffected	semver	['*']
`[6.18.16,6.19.0)`	unaffected	semver	['*']
`[6.19.6,6.20.0)`	unaffected	semver	['*']
`[7.0,*]`	unaffected	generic	['*']

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Linux kernel to a version that includes the tw9906 probe fix (commit 0c333385 or later).
If the TW9906 driver is not required, disable or blacklist the i2c/tw9906 kernel module to prevent the vulnerable code from loading.
Monitor system memory usage for abnormal spikes and enforce strict I2C device node permissions to limit local attacker privileges.

Generated by OpenCVE AI on May 11, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4606-1	linux security update

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/0c33338514d8246280533a77091e6b6ee548c606
https://git.kernel.org/stable/c/377a7756914364d72550fc86ca0f404ef1d96141
https://git.kernel.org/stable/c/59420d5d9c46b084e21f9ea6ce79fc79ae9e414c
https://git.kernel.org/stable/c/9548a8bbf511a252a9848f96220c6b95c9a3b918
https://git.kernel.org/stable/c/cad237b6c875fbee5d353a2b289e98d240d17ec8
https://git.kernel.org/stable/c/ccb92def042a3636ed47f25a30bd553788e5191e
https://git.kernel.org/stable/c/e9a490937942f18205dac7b6b192975ef1369ae1
https://git.kernel.org/stable/c/fb09d8b80046216646f1a344410cfa9cfa6c6c7c
https://lore.kernel.org/linux-cve-announce/2026050601-CVE-2026-43246-ec1c@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43246
https://www.cve.org/CVERecord?id=CVE-2026-43246

History

Mon, 11 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Fri, 08 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-772
References		https://lore.kernel.org/linux-cve-announce/2026050601-CVE-2026-43246-ec1c@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43246 https://www.cve.org/CVERecord?id=CVE-2026-43246

Wed, 06 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-401

Wed, 06 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: i2c/tw9906: Fix potential memory leak in tw9906_probe() In one of the error paths in tw9906_probe(), the memory allocated in v4l2_ctrl_handler_init() and v4l2_ctrl_new_std() is not freed. Fix that by calling v4l2_ctrl_handler_free() on the handler in that error path.
Title		media: i2c/tw9906: Fix potential memory leak in tw9906_probe()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/0c33338514d8246280533a77091e6b6ee548c606 https://git.kernel.org/stable/c/377a7756914364d72550fc86ca0f404ef1d96141 https://git.kernel.org/stable/c/59420d5d9c46b084e21f9ea6ce79fc79ae9e414c https://git.kernel.org/stable/c/9548a8bbf511a252a9848f96220c6b95c9a3b918 https://git.kernel.org/stable/c/cad237b6c875fbee5d353a2b289e98d240d17ec8 https://git.kernel.org/stable/c/ccb92def042a3636ed47f25a30bd553788e5191e https://git.kernel.org/stable/c/e9a490937942f18205dac7b6b192975ef1369ae1 https://git.kernel.org/stable/c/fb09d8b80046216646f1a344410cfa9cfa6c6c7c

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-06T11:28:38.246Z

Updated: 2026-05-11T22:20:50.199Z

Reserved: 2026-05-01T14:12:55.996Z

Link: CVE-2026-43246

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-06T12:16:45.103

Modified: 2026-05-11T13:32:06.267

Link: CVE-2026-43246

Redhat

Severity :

Publid Date: 2026-05-06T00:00:00Z

Links: CVE-2026-43246 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-11T18:45:25Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object