VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 30, 2025· Updated Apr 15, 2026

CVE-2022-50826

CVE-2022-50826

Description

In the Linux kernel, the following vulnerability has been resolved:

ipu3-imgu: Fix NULL pointer dereference in imgu_subdev_set_selection()

Calling v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() with a subdev state of NULL leads to a NULL pointer dereference. This can currently happen in imgu_subdev_set_selection() when the state passed in is NULL, as this method first gets pointers to both the "try" and "active" states and only then decides which to use.

The same issue has been addressed for imgu_subdev_get_selection() with commit 30d03a0de650 ("ipu3-imgu: Fix NULL pointer dereference in active selection access"). However the issue still persists in imgu_subdev_set_selection().

Therefore, apply a similar fix as done in the aforementioned commit to imgu_subdev_set_selection(). To keep things a bit cleaner, introduce helper functions for "crop" and "compose" access and use them in both imgu_subdev_set_selection() and imgu_subdev_get_selection().

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel ipu3-imgu driver NULL pointer dereference in imgu_subdev_set_selection() via missing NULL state check, can lead to crash.

Vulnerability

CVE-2022-50826 is a NULL pointer dereference vulnerability in the Linux kernel's ipu3-imgu driver, specifically in the imgu_subdev_set_selection() function. The issue occurs when the function is called with a NULL subdev state, causing v4l2_subdev_get_try_crop() and v4l2_subdev_get_try_compose() to dereference the NULL pointer. This is a similar flaw to one previously fixed in imgu_subdev_get_selection() with commit 30d03a0de650 [1].

Exploitation

The vulnerability can be triggered by an attacker who can invoke imgu_subdev_set_selection() with a NULL state argument. This requires local access to the system and the ability to interact with the video4linux subsystem, likely through the Intel IPU3 camera driver. No authentication is needed beyond local user access to the device file.

Impact

A successful exploit results in a NULL pointer dereference, leading to a kernel crash (denial of service). This can render the system unavailable until reboot. There is no evidence of privilege escalation or data leakage from the available information.

Mitigation

Patches are available in the Linux kernel stable branches [1][2]. Users should update their kernel to a version containing the fix. There are no known workarounds aside from applying the patch or disabling the affected driver if not needed.

References
  1. Making sure you're not a bot!
  2. Making sure you're not a bot!

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

4
fa6bbb4894b9
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
611d617bdb6c
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
5038ee677606
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit
dc608edf7d45
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitvia osv
commit

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.