CVE-2026-46205
Description
In the Linux kernel, the following vulnerability has been resolved:
staging: media: atomisp: Disallow all private IOCTLs
Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Linux kernel's atomisp driver allowed unsafe private IOCTLs; they are now disabled to prevent potential exploitation.
Vulnerability
In the Linux kernel's staging media atomisp driver, all private IOCTLs were allowed without sufficient safety checks. The commit [1] disables these IOCTLs by returning early if the command is non-zero, indicating that the handlers were not as safe as assumed. The affected versions include those prior to the stable kernel commit [1].
Exploitation
An attacker with local access and the ability to interact with the atomisp device could potentially send crafted private IOCTL commands. The exact exploitation steps are not detailed in the available references, but the fix suggests that these IOCTLs could be abused.
Impact
Successful exploitation could lead to unauthorized operations on the device, potentially resulting in information disclosure or system compromise. The exact impact is not fully disclosed, but the severity warranted disabling the IOCTLs entirely.
Mitigation
The fix is included in the Linux kernel stable commit [1]. Users should update to a kernel version containing this commit. No workaround is available other than applying the patch.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
106f1ce75a75c6staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index d7e8a9871522d9..0de2ae7f9020f3 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1371,6 +1371,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
c7848b67ef10staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index bb8b2f2213b08f..2907ef2a37ed0e 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1357,6 +1357,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
8c7a281a9922staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index d2174156573a53..de37bb15c85670 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1780,6 +1780,10 @@ static long atomisp_vidioc_default(struct file *file, void *fh, struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + switch (cmd) { case ATOMISP_IOC_S_SENSOR_RUNMODE: if (IS_ISP2401) -- cgit 1.3-korg
6850a439f8d2staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index a7f22de1c8899f..50366bf10f327f 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1356,6 +1356,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
2b7eb2c5dc72staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index a7f22de1c8899f..50366bf10f327f 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1356,6 +1356,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
8c7a281a9922staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index d2174156573a53..de37bb15c85670 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1780,6 +1780,10 @@ static long atomisp_vidioc_default(struct file *file, void *fh, struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + switch (cmd) { case ATOMISP_IOC_S_SENSOR_RUNMODE: if (IS_ISP2401) -- cgit 1.3-korg
6850a439f8d2staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index a7f22de1c8899f..50366bf10f327f 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1356,6 +1356,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
6f1ce75a75c6staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index d7e8a9871522d9..0de2ae7f9020f3 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1371,6 +1371,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
2b7eb2c5dc72staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index a7f22de1c8899f..50366bf10f327f 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1356,6 +1356,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
c7848b67ef10staging: media: atomisp: Disallow all private IOCTLs
1 file changed · +4 −1
drivers/staging/media/atomisp/pci/atomisp_ioctl.c+4 −1 modifieddiff --git a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c index bb8b2f2213b08f..2907ef2a37ed0e 100644 --- a/drivers/staging/media/atomisp/pci/atomisp_ioctl.c +++ b/drivers/staging/media/atomisp/pci/atomisp_ioctl.c @@ -1357,6 +1357,10 @@ static int atomisp_s_parm(struct file *file, void *fh, static long atomisp_vidioc_default(struct file *file, void *fh, bool valid_prio, unsigned int cmd, void *arg) { + /* Disable all private IOCTLs for now! */ + if (cmd) + return -EINVAL; + struct video_device *vdev = video_devdata(file); struct atomisp_sub_device *asd = atomisp_to_video_pipe(vdev)->asd; int err; -- cgit 1.3-korg
Vulnerability mechanics
Root cause
"The atomisp driver's private IOCTL handlers in atomisp_vidioc_default() were not safe and could be exploited, so the patch disables all private IOCTLs by returning -EINVAL early."
Attack vector
An attacker with access to the atomisp video device node can send arbitrary private IOCTL commands (non-zero cmd values) to the kernel via the atomisp_vidioc_default() handler [patch_id=2897770]. The commit message states these handlers "aren't quite as safe as one could assume" [patch_id=2897770], meaning they could be abused to trigger undefined or dangerous behavior in the driver. No specific exploit technique or payload is described in the supplied patches.
Affected code
The vulnerable code is in drivers/staging/media/atomisp/pci/atomisp_ioctl.c, specifically the atomisp_vidioc_default() function which handles private IOCTLs for the atomisp driver [patch_id=2897770].
What the fix does
The patch adds an early return of -EINVAL at the top of atomisp_vidioc_default() if cmd is non-zero [patch_id=2897770]. This prevents any private IOCTL from reaching the switch/case handler logic below. The code is not removed entirely — the comment says "Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy" [patch_id=2897770]. This is a broad denial-of-service prevention that disables all private IOCTLs until each can be individually audited for safety.
Preconditions
- accessAttacker must have access to the atomisp video device node (e.g., /dev/video*).
- configThe atomisp driver must be loaded and the device must be present.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- git.kernel.org/stable/c/2b7eb2c5dc72f0fc954ac4aa155f9e285e937f7cnvd
- git.kernel.org/stable/c/6850a439f8d23d4979624f1d6880d3118d473a28nvd
- git.kernel.org/stable/c/6f1ce75a75c65061e7a720c3d0ee5f8adab7a2d3nvd
- git.kernel.org/stable/c/8c7a281a99224a5b9af99c4dcd98d68eea75926cnvd
- git.kernel.org/stable/c/c7848b67ef10f581114b6a2f52b160fc20eb52c9nvd
News mentions
0No linked articles in our index yet.