CVE-2026-43229
Description
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down.
In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register().
The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic.
This causes random kernel panics during encoding operations:
Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in the Linux kernel's wave5 media driver allows a use-after-free-like panic when hardware is powered down before video devices are unregistered.
Vulnerability
In the Linux kernel's chips-media wave5 driver, the device removal path was ordered incorrectly, leading to a race condition that could cause a kernel panic. The remove function disabled power management and powered down the hardware before unregistering video devices. This left a window where the hrtimer-triggered worker thread could still fire and attempt to read hardware registers after the device was already powered down [1].
Exploitation
An attacker with local access and the ability to trigger video encoding operations could exploit this race condition. The period hrtimer in polling mode, via wave5_vpu_timer_callback(), queues work to the kthread worker, which then calls wave5_vpu_irq_work_fn(). This function reads hardware registers using wave5_vdi_read_register(). If the hardware is powered down (e.g., through autosuspend) before the video devices are unregistered, the register read accesses power-managed hardware, causing a synchronous external abort [1].
The race is observed specifically during encoding operations, as indicated by the kernel crash trace showing the vpu_irq_thread worker stuck in wave5_vdi_read_register [1].
Impact
Successful exploitation results in a kernel panic (synchronous external abort), causing a denial of service on the affected system. The crash trace shows a "Kernel panic - not syncing" exact message. No privilege escalation or data leak is documented from this vulnerability [1].
Mitigation
The fix moves video device unregistration to the start of the remove function, ensuring all video operations stop before the hardware is powered down. This eliminates the race window. The patch is applied via stable kernel commits [1][2][3][4]. Users should update their kernel to a version incorporating this fix. No workaround is mentioned.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.