CVE-2026-46235 - Vulnerability Details

- media: saa7164: add ioremap return checks and cleanups

Description

In the Linux kernel, the following vulnerability has been resolved:

media: saa7164: add ioremap return checks and cleanups

Add checks for ioremap return values in saa7164_dev_setup(). If
ioremap for BAR0 or BAR2 fails, release the already allocated PCI
memory regions, remove the device from the global list, decrement
the device count, and return -ENODEV.

This prevents potential null pointer dereferences and ensures proper
cleanup on memory mapping failures.

Published: 2026-05-28

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The saa7164 device setup routine in the Linux kernel media subsystem does not verify the return value of ioremap when mapping PCI device BAR0 or BAR2. If either mapping fails, the code continues to use the resulting null pointer, which can cause a kernel crash due to a null pointer dereference, a weakness identified as CWE-252.

Affected Systems

Any Linux system that loads the saa7164 media driver and is running a kernel version that lacks the recent patch adding NULL-check logic is vulnerable. Distributions shipping kernels before the commit identified in the references are at risk; updating to a kernel version that includes the fix removes the vulnerability.

Risk and Exploitability

The flaw is not listed in CISA KEV and the EPSS score is less than 1%, indicating that large‑scale exploitation has not been recorded and the probability of exploitation is low. However the CVSS score of 5.5 classifies it as a moderate‑severity local vulnerability. Based on the description, it is inferred that an attacker must have local or privileged access to trigger the saa7164 driver initialization, after which the unchecked return value could be exploited to bring the kernel down, resulting in a denial of service. The vulnerability exhibits characteristics of CWE-252 and CWE-476 and keeping the kernel patched is the recommended mitigations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Linux

unaffected

Version	Status	Constraints
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< 23dee5990d2c27ed79567fd61ccfe6876768531a
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< 3ce8f3057c51bb0a66aa3fab0862be74e9f88684
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< a9b83f46e52cf1239d780920d1a7a3e415f7b5d9
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< 6047dc542fa404b5c187cc2c7906aaaaec6d11ed
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< 6c22a6d8e4c1507bba504aeebe80476144a373eb
`443c1228d50518f3c550e1fef490a2c9d9246ce7`	affected	< d51c60a498e83c9a79884c8e420f97e3885c9583

Linux

affected

Version	Status	Constraints
`2.6.32`	affected	—
`0`	unaffected	< 2.6.32
`6.1.175`	unaffected	≤ 6.1.*
`6.6.140`	unaffected	≤ 6.6.*
`6.12.90`	unaffected	≤ 6.12.*
`6.18.32`	unaffected	≤ 6.18.*
`7.0.9`	unaffected	≤ 7.0.*
`7.1`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::

No data.

Vendor Product Confidence Versions

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`[443c1228d50518f3c550e1fef490a2c9d9246ce7,3ce8f3057c51bb0a66aa3fab0862be74e9f88684)`	affected	code_commit	—
`[443c1228d50518f3c550e1fef490a2c9d9246ce7,a9b83f46e52cf1239d780920d1a7a3e415f7b5d9)`	affected	code_commit	—
`[443c1228d50518f3c550e1fef490a2c9d9246ce7,6047dc542fa404b5c187cc2c7906aaaaec6d11ed)`	affected	code_commit	—
`[443c1228d50518f3c550e1fef490a2c9d9246ce7,6c22a6d8e4c1507bba504aeebe80476144a373eb)`	affected	code_commit	—
`[443c1228d50518f3c550e1fef490a2c9d9246ce7,d51c60a498e83c9a79884c8e420f97e3885c9583)`	affected	code_commit	—

Linux

Linux Kernel

99%

Version	Status	Scheme	Platform
`2.6.32`	affected	semver	—
`[0,2.6.32)`	unaffected	semver	—
`[6.6.140,6.7.0)`	unaffected	semver	—
`[6.12.90,6.13.0)`	unaffected	semver	—
`[6.18.32,6.19.0)`	unaffected	semver	—
`[7.0.9,7.1.0)`	unaffected	semver	—
`[7.1-rc1,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the operating system kernel to a version that includes the commit adding null-check logic for saa7164 ioremap mappings.
If an immediate kernel update is not possible, consider disabling or unloading the saa7164 driver when it is not required to mitigate the risk.
Regularly check distribution security updates and apply patches promptly to ensure the saa7164 driver fix is installed.

Generated by OpenCVE AI on June 10, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://git.kernel.org/stable/c/23dee5990d2c27ed79567fd61ccfe6876768531a
https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684
https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed
https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb
https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9
https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583
https://lore.kernel.org/linux-cve-announce/2026052840-CVE-2026-46235-fa92@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2026-46235
https://www.cve.org/CVERecord?id=CVE-2026-46235

History

Wed, 10 Jun 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Mon, 01 Jun 2026 17:00:00 +0000

Type	Values Removed	Values Added
References		https://git.kernel.org/stable/c/23dee5990d2c27ed79567fd61ccfe6876768531a

Fri, 29 May 2026 04:00:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-476

Fri, 29 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-252
References		https://lore.kernel.org/linux-cve-announce/2026052840-CVE-2026-46235-fa92@gregkh/T https://nvd.nist.gov/vuln/detail/CVE-2026-46235 https://www.cve.org/CVERecord?id=CVE-2026-46235
Metrics	threat_severity `None`	cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}` threat_severity `Low`

Thu, 28 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-476

Thu, 28 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.
Title		media: saa7164: add ioremap return checks and cleanups
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/3ce8f3057c51bb0a66aa3fab0862be74e9f88684 https://git.kernel.org/stable/c/6047dc542fa404b5c187cc2c7906aaaaec6d11ed https://git.kernel.org/stable/c/6c22a6d8e4c1507bba504aeebe80476144a373eb https://git.kernel.org/stable/c/a9b83f46e52cf1239d780920d1a7a3e415f7b5d9 https://git.kernel.org/stable/c/d51c60a498e83c9a79884c8e420f97e3885c9583

Subscriptions

Linux Linux Kernel

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-05-28T09:41:04.419Z

Updated: 2026-06-14T18:04:45.615Z

Reserved: 2026-05-13T15:03:33.106Z

Link: CVE-2026-46235

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2026-05-28T10:16:39.143

Modified: 2026-06-10T21:10:40.253

Link: CVE-2026-46235

Redhat

Severity : Low

Publid Date: 2026-05-28T00:00:00Z

Links: CVE-2026-46235 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses

CWE-252
Unchecked Return Value
CWE-476
NULL Pointer Dereference

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object