Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026
CVE-2026-45928
CVE-2026-45928
Description
In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix memory leak on codec_info allocation failure
In wave5_vpu_open_enc() and wave5_vpu_open_dec(), a vpu instance is allocated via kzalloc(). If the subsequent allocation for inst->codec_info fails, the functions return -ENOMEM without freeing the previously allocated instance, causing a memory leak.
Fix this by calling kfree() on the instance in this error path to ensure it is properly released.
Affected products
1Patches
81de71556cbd6media: chips-media: wave5: Fix memory leak on codec_info allocation failure
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanNov 11, 2025Fixed in 6.18.14via kernel-cna
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e3038c18ca3621..a4387ed58cac36 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1753,8 +1753,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 9bfaa9fb3ceb3e..94fb5d7c87021a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1578,8 +1578,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
52defdd4034dmedia: chips-media: wave5: Fix memory leak on codec_info allocation failure
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanNov 11, 2025Fixed in 6.12.75via kernel-cna
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e238447c88bbf3..8f7154932d24c1 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1835,8 +1835,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); filp->private_data = &inst->v4l2_fh;
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 3e35a05c2d8df5..a1330c54b17e67 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1546,8 +1546,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); filp->private_data = &inst->v4l2_fh; -- cgit 1.3-korg
32e9e45cf7e3media: chips-media: wave5: Fix memory leak on codec_info allocation failure
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanNov 11, 2025Fixed in 6.19.4via kernel-cna
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e3038c18ca3621..a4387ed58cac36 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1753,8 +1753,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 9bfaa9fb3ceb3e..94fb5d7c87021a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1578,8 +1578,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
a519e21e3239media: chips-media: wave5: Fix memory leak on codec_info allocation failure
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitZilin GuanNov 11, 2025Fixed in 7.0via kernel-cna
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e75770912e21b8..8917542b993c62 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1835,8 +1835,10 @@ static int wave5_vpu_open_dec(struct file *filp) INIT_LIST_HEAD(&inst->avail_src_bufs); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index e69bef5d1b520c..24fc0d0d3f4aa7 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1581,8 +1581,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
32e9e45cf7e3media: chips-media: wave5: Fix memory leak on codec_info allocation failure
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e3038c18ca3621..a4387ed58cac36 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1753,8 +1753,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 9bfaa9fb3ceb3e..94fb5d7c87021a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1578,8 +1578,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
52defdd4034dmedia: chips-media: wave5: Fix memory leak on codec_info allocation failure
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e238447c88bbf3..8f7154932d24c1 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1835,8 +1835,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); filp->private_data = &inst->v4l2_fh;
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 3e35a05c2d8df5..a1330c54b17e67 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1546,8 +1546,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); filp->private_data = &inst->v4l2_fh; -- cgit 1.3-korg
1de71556cbd6media: chips-media: wave5: Fix memory leak on codec_info allocation failure
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e3038c18ca3621..a4387ed58cac36 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1753,8 +1753,10 @@ static int wave5_vpu_open_dec(struct file *filp) spin_lock_init(&inst->state_spinlock); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index 9bfaa9fb3ceb3e..94fb5d7c87021a 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1578,8 +1578,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
a519e21e3239media: chips-media: wave5: Fix memory leak on codec_info allocation failure
2 files changed · +6 −3
drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c+3 −1 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c index e75770912e21b8..8917542b993c62 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c @@ -1835,8 +1835,10 @@ static int wave5_vpu_open_dec(struct file *filp) INIT_LIST_HEAD(&inst->avail_src_bufs); inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp);
drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c+3 −2 modifieddiff --git a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c index e69bef5d1b520c..24fc0d0d3f4aa7 100644 --- a/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c +++ b/drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c @@ -1581,8 +1581,10 @@ static int wave5_vpu_open_enc(struct file *filp) inst->ops = &wave5_vpu_enc_inst_ops; inst->codec_info = kzalloc(sizeof(*inst->codec_info), GFP_KERNEL); - if (!inst->codec_info) + if (!inst->codec_info) { + kfree(inst); return -ENOMEM; + } v4l2_fh_init(&inst->v4l2_fh, vdev); v4l2_fh_add(&inst->v4l2_fh, filp); -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"Missing kfree of previously allocated vpu_instance when the subsequent codec_info allocation fails, causing a memory leak."
Attack vector
An attacker triggers the bug by opening a V4L2 encoder or decoder device node on a system using the Wave5 VPU driver, causing the kernel to call `wave5_vpu_open_enc()` or `wave5_vpu_open_dec()`. If the kernel's memory allocation for `inst->codec_info` fails (e.g., under low-memory conditions), the function returns `-ENOMEM` without freeing the previously allocated `vpu_instance`, leaking that memory [patch_id=2661257]. No special privileges beyond access to the video device node are required.
Affected code
The vulnerability resides in `wave5_vpu_open_enc()` in `drivers/media/platform/chips-media/wave5/wave5-vpu-enc.c` and `wave5_vpu_open_dec()` in `drivers/media/platform/chips-media/wave5/wave5-vpu-dec.c` [patch_id=2661257]. In both functions, a `vpu_instance` is allocated via `kzalloc()`, and then a separate `kzalloc()` is attempted for `inst->codec_info`.
What the fix does
The patch adds a `kfree(inst)` call inside the `if (!inst->codec_info)` error branch in both `wave5_vpu_open_enc()` and `wave5_vpu_open_dec()` [patch_id=2661257]. Before the fix, the functions returned `-ENOMEM` immediately, leaking the `vpu_instance` that was already allocated. By freeing `inst` before returning, the patch ensures all memory is released on the allocation failure path.
Preconditions
- configThe system must have the Wave5 VPU media driver loaded and a V4L2 encoder or decoder device node accessible.
- authThe attacker must be able to open the video device node (typically requires access to /dev/video*).
- inputThe kernel must be under sufficient memory pressure that the kzalloc for codec_info fails.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.