Description
In the Linux kernel, the following vulnerability has been resolved:

media: i2c: ov5647: Initialize subdev before controls

In ov5647_init_controls() we call v4l2_get_subdevdata, but it is
initialized by v4l2_i2c_subdev_init() in the probe, which currently
happens after init_controls(). This can result in a segfault if the
error condition is hit, and we try to access i2c_client, so fix the
order.
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In the Linux kernel, the ov5647 camera driver incorrectly calls a function to retrieve device data before the device data structure has been initialized, leading to a segmentation fault when an error condition occurs. This results in a kernel crash, causing a complete system denial of service without providing any remote attack surface. The weakness is a classic improper initialization problem that allows the system to dereference an uninitialized pointer.

Affected Systems

The vulnerability affects the Linux kernel in all distributions where the ov5647 driver is compiled. No specific kernel versions are listed, so all current kernels that include the driver are potentially impacted until a patched version is available.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity, and the EPSS score is <1%, reflecting a low likelihood of exploitation. The lack of listing in CISA KEV suggests no public exploitation. Exploitation would require local or physical access to a machine with the ov5647 camera module, and the attack vector is inferred to be local. Given the potential for a kernel crash, the vulnerability should be treated with high priority.

Generated by OpenCVE AI on May 15, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest stable Linux kernel that incorporates the patch to the ov5647 driver.
  • If a kernel update is not immediately possible, temporarily disable or unplug the ov5647 camera module to prevent the driver from loading until it can be patched.
  • After applying the update, restart any applications or services that depend on the camera driver so they reinitialize correctly.

Generated by OpenCVE AI on May 15, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
CWE-665

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
CWE-665

Fri, 08 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Initialize subdev before controls In ov5647_init_controls() we call v4l2_get_subdevdata, but it is initialized by v4l2_i2c_subdev_init() in the probe, which currently happens after init_controls(). This can result in a segfault if the error condition is hit, and we try to access i2c_client, so fix the order.
Title media: i2c: ov5647: Initialize subdev before controls
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:07.459Z

Reserved: 2026-05-01T14:12:56.001Z

Link: CVE-2026-43312

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:39.587

Modified: 2026-05-15T17:22:24.033

Link: CVE-2026-43312

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43312 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T18:30:05Z

Weaknesses