Description
In the Linux kernel, the following vulnerability has been resolved:

media: chips-media: wave5: Fix kthread worker destruction in polling mode

Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings
during module removal. Cancel the hrtimer before destroying the kthread
worker to ensure work queues are empty.

In polling mode, the driver uses hrtimer to periodically trigger
wave5_vpu_timer_callback() which queues work via kthread_queue_work().
The kthread_destroy_worker() function validates that both work queues
are empty with WARN_ON(!list_empty(&worker->work_list)) and
WARN_ON(!list_empty(&worker->delayed_work_list)).

The original code called kthread_destroy_worker() before hrtimer_cancel(),
creating a race condition where the timer could fire during worker
destruction and queue new work, triggering the WARN_ON.

This causes the following warning on every module unload in polling mode:

------------[ cut here ]------------
WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430
kthread_destroy_worker+0x84/0x98
Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ...
Call trace:
kthread_destroy_worker+0x84/0x98
wave5_vpu_remove+0xc8/0xe0 [wave5]
platform_remove+0x30/0x58
...
---[ end trace 0000000000000000 ]---
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The wave5 media driver in the Linux kernel contains a race condition in polling mode where an hrtimer can fire after the kthread worker has begun destruction. The kernel’s kthread_destroy_worker checks that its work lists are empty and emits a WARN_ON when they are not, resulting in a warning trace every time the module is unloaded. This warning indicates that new work was queued during worker teardown, potentially causing repeated unload failures and kernel instability.

Affected Systems

Any Linux kernel that builds and loads the wave5 media driver is affected. No specific kernel or driver versions are listed, so the issue applies to all builds that include this driver compiled in polling mode.

Risk and Exploitability

The EPSS score is not available and the CVE is not listed in CISA KEV, indicating no known public exploitation. No CVSS score is provided, so the exact severity is unclear, but the flaw results only in kernel warnings and potential instability rather than privilege escalation or data disclosure. An attacker would need the ability to load and unload the wave5 driver, which typically requires root or device access, and could trigger repeated warnings or a denial‑of‑service by forcing many unloads.

Generated by OpenCVE AI on May 9, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that includes the wave5 media driver fix.
  • Backport the patch to the current kernel if an update is not yet available.
  • Avoid unloading the wave5 driver until the hrtimer is cancelled and the worker is clean, or reboot the system after loading the driver.

Generated by OpenCVE AI on May 9, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---
Title media: chips-media: wave5: Fix kthread worker destruction in polling mode
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:11:16.812Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43293

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:36.377

Modified: 2026-05-08T14:16:36.377

Link: CVE-2026-43293

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43293 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T05:00:10Z

Weaknesses