Description
In the Linux kernel, the following vulnerability has been resolved:

media: solo6x10: Check for out of bounds chip_id

Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type
(literal "1" is an "int") could end up being shifted beyond 32 bits,
so instrumentation was added (and due to the double is_tw286x() call
seen via inlining), Clang decides the second one must now be undefined
behavior and elides the rest of the function[1]. This is a known problem
with Clang (that is still being worked on), but we can avoid the entire
problem by actually checking the existing max chip ID, and now there is
no runtime instrumentation added at all since everything is known to be
within bounds.

Additionally use an unsigned value for the shift to remove the
instrumentation even without the explicit bounds checking.

[hverkuil: fix checkpatch warning for is_tw286x]
Published: 2026-05-08
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The solo6x10 media driver in the Linux kernel contains a signed integer shift that can exceed 32‑bit bounds when compiled with Clang’s UBSAN shift instrumentation. This causes undefined behavior because the shift value becomes larger than the integer width, prompting the compiler to eliminate the remainder of the function. The upstream fix adds a bounds check on the chip_id and switches the shift to use an unsigned value, thereby removing the problematic instrumentation and preventing the undefined behavior during normal operation.

Affected Systems

All Linux kernel builds that include the solo6x10 driver and are compiled with UBSAN shift instrumentation enabled (e.g., CONFIG_UBSAN_SHIFT). Distributions shipping default kernels with UBSAN disabled are not affected, but custom kernel builds that enable UBSAN may trigger the issue.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity flaw. The EPSS score is less than 1%, indicating a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It activates only when UBSAN shift instrumentation is enabled. No public exploits have been reported. The resulting undefined behavior could lead to kernel instability in those builds, but exposure remains limited to environments that enable these checks.

Generated by OpenCVE AI on May 15, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that incorporates the solo6x10 bounds‑check patch
  • If no update is available, manually patch the driver by adding a bounds check for chip_id and using an unsigned shift
  • Disable CONFIG_UBSAN_SHIFT or all UBSAN instrumentation when building the kernel

Generated by OpenCVE AI on May 15, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4606-1 linux security update
History

Fri, 15 May 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Fri, 15 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Fri, 15 May 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: solo6x10: Check for out of bounds chip_id Clang with CONFIG_UBSAN_SHIFT=y noticed a condition where a signed type (literal "1" is an "int") could end up being shifted beyond 32 bits, so instrumentation was added (and due to the double is_tw286x() call seen via inlining), Clang decides the second one must now be undefined behavior and elides the rest of the function[1]. This is a known problem with Clang (that is still being worked on), but we can avoid the entire problem by actually checking the existing max chip ID, and now there is no runtime instrumentation added at all since everything is known to be within bounds. Additionally use an unsigned value for the shift to remove the instrumentation even without the explicit bounds checking. [hverkuil: fix checkpatch warning for is_tw286x]
Title media: solo6x10: Check for out of bounds chip_id
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:22:12.135Z

Reserved: 2026-05-01T14:12:56.001Z

Link: CVE-2026-43316

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:40.117

Modified: 2026-05-15T18:32:29.457

Link: CVE-2026-43316

cve-icon Redhat

Severity :

Publid Date: 2026-05-08T00:00:00Z

Links: CVE-2026-43316 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T21:45:09Z

Weaknesses