Description
In the Linux kernel, the following vulnerability has been resolved:

media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()

rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is
unsupported or invalid. rga_buf_init() does not check the return value
and unconditionally dereferences the pointer when accessing f->size.

Add proper ERR_PTR checking and return the error to prevent
dereferencing an invalid pointer.
Published: 2026-05-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Rockchip RGA subsystem of the Linux kernel. A function that prepares buffers for image processing, rga_buf_init(), does not verify the return value of rga_get_frame(), which can return a special error pointer when an unsupported or invalid buffer type is requested. Accessing the size field through an invalid pointer will trigger a kernel fault and cause the system to crash. The failure results in a denial of service because the kernel degrades to an unsafe state and may require a reboot.

Affected Systems

All Linux kernel releases that include the Rockchip RGA driver are potentially affected. No specific kernel versions are listed in the advisory, but the issue can arise in any build that contains the unpatched rga_buf_init() function.

Risk and Exploitability

The exploit requires local access to the affected kernel driver. A malicious user must be able to invoke the RGA interface with an invalid or unsupported buffer type to trigger the invalid dereference. While no CVSS or EPSS scores are published, the lack of an easily exploitable code execution path suggests a moderate risk primarily limited to system instability. The vulnerability is not listed in the CISA KEV catalog, indicating that no widespread exploitation has been reported.

Generated by OpenCVE AI on May 8, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the kernel to a version that includes the rga_buf_init() check or apply a backported patch from the upstream commit.
  • If an immediate kernel update is not feasible, apply the upstream patch locally and rebuild the kernel to eliminate the unchecked dereference.
  • Restrict access to the Rockchip RGA subsystem so that only privileged users or trusted services can use it, thereby reducing the attack surface for local exploits.

Generated by OpenCVE AI on May 8, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init() rga_get_frame() can return ERR_PTR(-EINVAL) when buffer type is unsupported or invalid. rga_buf_init() does not check the return value and unconditionally dereferences the pointer when accessing f->size. Add proper ERR_PTR checking and return the error to prevent dereferencing an invalid pointer.
Title media: rockchip: rga: Fix possible ERR_PTR dereference in rga_buf_init()
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-08T13:11:19.530Z

Reserved: 2026-05-01T14:12:55.999Z

Link: CVE-2026-43297

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T14:16:36.863

Modified: 2026-05-08T14:16:36.863

Link: CVE-2026-43297

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43297 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses