CVE-2026-43189
Description
In the Linux kernel, the following vulnerability has been resolved:
media: v4l2-async: Fix error handling on steps after finding a match
Once an async connection is found to be matching with an fwnode, a sub-device may be registered (in case it wasn't already), its bound operation is called, ancillary links are created, the async connection is added to the sub-device's list of connections and removed from the global waiting connection list. Further on, the sub-device's possible own notifier is searched for possible additional matches.
Fix these specific issues:
- If v4l2_async_match_notify() failed before the sub-notifier handling, the async connection was unbound and its entry removed from the sub-device's async connection list. The latter part was also done in v4l2_async_match_notify().
- The async connection's sd field was only set after creating ancillary links in v4l2_async_match_notify(). It was however dereferenced in v4l2_async_unbind_subdev_one(), which was called on error path of v4l2_async_match_notify() failure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Linux kernel's V4L2 async framework, improper error handling after a matching fwnode can cause use-after-free and double-free issues.
Vulnerability
Overview
CVE-2026-43189 is a bug in the Linux kernel's V4L2 (Video for Linux 2) asynchronous sub-device framework. The vulnerability arises from incorrect error handling in the v4l2_async_match_notify() function after a successful fwnode match is found. Specifically, if an error occurs after the match but before the sub-notifier handling completes, the async connection is improperly unbound and removed from the sub-device's list, while the same cleanup is also performed inside v4l2_async_match_notify(), leading to a double-free condition. Additionally, the async connection's sd field is dereferenced in the error path before it has been set, potentially causing a use-after-free [1][2].
Exploitation and
Attack Surface
This vulnerability is triggered during the asynchronous probing of V4L2 sub-devices, a process that occurs at boot or when hot-plugging camera sensors, video decoders, or other media devices. An attacker would need to be able to influence the device tree or ACPI tables to cause a failure after a match is found, for example by providing a malformed fwnode or by causing memory pressure. No authentication is required, but the attacker must have the ability to trigger the specific error condition in the kernel's media subsystem. The bug is local to the kernel and does not require physical access, but it is not remotely exploitable over a network [1][2].
Impact
If successfully triggered, the improper cleanup can lead toggling of the async connection list and the use of an uninitialized pointer can lead to a kernel crash (denial of service) or potentially to memory corruption that could be leveraged for privilege escalation. The CVSS v3 score of 5.5 (Medium) reflects the requirement for local access and the need to trigger a specific error condition, but the consequences include system instability and possible arbitrary code execution in kernel context [1][2].
Mitigation
The fix is included in the Linux kernel stable releases. Patches have been applied to the affected code paths, ensuring that error handling properly cleans up only once and that the sd field is set before any error path that dereferences it. Users should update to a kernel version containing the commits referenced in the advisory [1][2][3][4]. No workaround is available; updating the kernel is the recommended mitigation.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119nvdPatch
- git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48nvdPatch
- git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244fnvdPatch
- git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12nvdPatch
- git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55nvdPatch
News mentions
0No linked articles in our index yet.