CVE-2026-43297 - Vulnerability Details

- media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()

Description

In the Linux kernel, the following vulnerability has been resolved:

media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()

rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is
unsupported or invalid. rga_buf_init() does not check the return value
and unconditionally dereferences the pointer when accessing f->size.

Add proper ERR_PTR checking and return the error to prevent
dereferencing an invalid pointer.

Published: 2026-05-08

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Rockchip RGA subsystem of the Linux kernel. A function that prepares buffers for image processing, rga_buf_init(), does not verify the return value of rga_get_frame(), which can return a special error pointer when an unsupported or invalid buffer type is requested. Accessing the size field through an invalid pointer will trigger a kernel fault and cause the system to crash. The failure results in a denial of service because the kernel degrades to an unsafe state and may require a reboot.

Affected Systems

All Linux kernel releases that include the Rockchip RGA driver are potentially affected. No specific kernel versions are listed in the advisory, but the issue can arise in any build that contains the unpatched rga_buf_init() function.

Risk and Exploitability

The exploit requires local access to the affected kernel driver. A malicious user must be able to invoke the RGA interface with an invalid or unsupported buffer type to trigger the invalid dereference. The CVSS score of 5.5 indicates moderate severity, and the EPSS < 1% suggests that exploitation is unlikely. The vulnerability is not listed in the CISA KEV catalog, indicating no widespread exploitation has been reported.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`6040702ade234c8212dcfdef85e2f5549aa2f0f5`	affected	< 5da29ade540b51763b950987bd410add7edaf3d1
`6040702ade234c8212dcfdef85e2f5549aa2f0f5`	affected	< 1af2853b4e97fd95262fdef311b2334337069bc9
`6040702ade234c8212dcfdef85e2f5549aa2f0f5`	affected	< aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf
`6040702ade234c8212dcfdef85e2f5549aa2f0f5`	affected	< 81f8e0e6a2e115df9274d0289779f8fca694479c

Linux

affected

Version	Status	Constraints
`6.8`	affected	—
`0`	unaffected	< 6.8
`6.12.75`	unaffected	≤ 6.12.*
`6.18.16`	unaffected	≤ 6.18.*
`6.19.6`	unaffected	≤ 6.19.*
`7.0`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[6040702ade234c8212dcfdef85e2f5549aa2f0f5,5da29ade540b51763b950987bd410add7edaf3d1)`	affected	code_commit	—
`[6040702ade234c8212dcfdef85e2f5549aa2f0f5,1af2853b4e97fd95262fdef311b2334337069bc9)`	affected	code_commit	—
`[6040702ade234c8212dcfdef85e2f5549aa2f0f5,aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf)`	affected	code_commit	—
`[6040702ade234c8212dcfdef85e2f5549aa2f0f5,81f8e0e6a2e115df9274d0289779f8fca694479c)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`6.8`	affected	semver	—
`[0,6.8)`	unaffected	semver	—
`[6.12.75,6.13.0)`	unaffected	semver	—
`[6.18.16,6.19.0)`	unaffected	semver	—
`[6.19.6,6.20.0)`	unaffected	semver	—
`[7.0,*]`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the kernel to a version that includes the rga_buf_init() check or apply a backported patch from the upstream commit to eliminate the unchecked ERR_PTR dereference, thus mitigating the null pointer dereference identified as CWE-476.
If an immediate kernel update is not feasible, apply the upstream patch locally and rebuild the kernel, ensuring the function performs proper error handling before accessing the buffer.
Restrict access to the Rockchip RGA subsystem so that only privileged users or trusted services can use it, thereby reducing the attack surface for local exploits.

Generated by OpenCVE AI on May 15, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/1af2853b4e97fd95262fdef311b2334337069bc9
https://git.kernel.org/stable/c/5da29ade540b51763b950987bd410add7edaf3d1
https://git.kernel.org/stable/c/81f8e0e6a2e115df9274d0289779f8fca694479c
https://git.kernel.org/stable/c/aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf
https://lore.kernel.org/linux-cve-announce/2026050855-CVE-2026-43297-4595@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-43297
https://www.cve.org/CVERecord?id=CVE-2026-43297

History

Fri, 15 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

Sat, 09 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://lore.kernel.org/linux-cve-announce/2026050855-CVE-2026-43297-4595@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-43297 https://www.cve.org/CVERecord?id=CVE-2026-43297

Fri, 08 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Fri, 08 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init() rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is unsupported or invalid. rga_buf_init() does not check the return value and unconditionally dereferences the pointer when accessing f->size. Add proper ERR_PTR checking and return the error to prevent dereferencing an invalid pointer.
Title		media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/1af2853b4e97fd95262fdef311b2334337069bc9 https://git.kernel.org/stable/c/5da29ade540b51763b950987bd410add7edaf3d1 https://git.kernel.org/stable/c/81f8e0e6a2e115df9274d0289779f8fca694479c https://git.kernel.org/stable/c/aa22221c5dc695a3d479e1e1b63f0c0e9eb29dbf

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-08T13:11:19.530Z

Updated: 2026-05-11T22:21:49.907Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43297

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-08T14:16:36.863

Modified: 2026-05-15T14:59:43.053

Link: CVE-2026-43297

Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43297 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-15T17:45:04Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object