VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 8, 2026

CVE-2026-46310

CVE-2026-46310

Description

Linux kernel's Renesas VSP1 driver has a NULL pointer dereference vulnerability during module unload, potentially causing instability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Linux kernel's Renesas VSP1 driver has a NULL pointer dereference vulnerability during module unload, potentially causing instability.

Vulnerability

A NULL pointer dereference vulnerability exists in the Linux kernel's Renesas VSP1 driver, specifically within the module unload process for Gen 4 hardware. The issue arises because the cleanup code incorrectly calls vsp1_drm_cleanup() instead of the appropriate vsp1_vspx_cleanup() function, leading to a crash when the module is unloaded.

Exploitation

An attacker with the ability to unload the VSP1 kernel module could trigger this vulnerability. This typically requires elevated privileges on the system, such as root access, or a local user who can load and unload kernel modules. The exploit involves a sequence of operations that leads to the module's removal from the kernel.

Impact

Successful exploitation of this NULL pointer dereference will cause the kernel module to crash, leading to a system instability or a kernel panic. This can result in denial of service for any hardware or services relying on the VSP1 driver.

Mitigation

This vulnerability has been resolved in the Linux kernel. The fix involves checking the IP version and calling the correct cleanup function (vsp1_drm_cleanup() or vsp1_vspx_cleanup()) accordingly, mirroring the logic used during module initialization. Users should update to a patched kernel version. The specific patched commit is available at [1].

References
  1. Making sure you're not a bot!

AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

6
bfb2081ba00a

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTomi ValkeinenJan 15, 2026Fixed in 6.18.32via kernel-cna
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 6c64657fc4f33..30df9b36642dc 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg
58b1e9664d8f

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTomi ValkeinenJan 15, 2026Fixed in 7.1-rc1via kernel-cna
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 2de515c497eb8..627b5046fa800 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg
c4bb1515b266

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.gitTomi ValkeinenJan 15, 2026Fixed in 7.0.9via kernel-cna
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 2de515c497eb8..627b5046fa800 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg
58b1e9664d8f

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTomi ValkeinenJan 15, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 2de515c497eb8..627b5046fa800 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg
bfb2081ba00a

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTomi ValkeinenJan 15, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 6c64657fc4f33..30df9b36642dc 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg
c4bb1515b266

media: renesas: vsp1: Fix NULL pointer deref on module unload

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.gitTomi ValkeinenJan 15, 2026via nvd-ref
commit
1 file changed · +6 3
  • drivers/media/platform/renesas/vsp1/vsp1_drv.c+6 3 modified
    diff --git a/drivers/media/platform/renesas/vsp1/vsp1_drv.c b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
index 2de515c497eb8..627b5046fa800 100644
--- a/drivers/media/platform/renesas/vsp1/vsp1_drv.c
+++ b/drivers/media/platform/renesas/vsp1/vsp1_drv.c
@@ -240,8 +240,12 @@ static void vsp1_destroy_entities(struct vsp1_device *vsp1)
 		media_device_unregister(&vsp1->media_dev);
 	media_device_cleanup(&vsp1->media_dev);
 
-	if (!vsp1->info->uapi)
-		vsp1_drm_cleanup(vsp1);
+	if (!vsp1->info->uapi) {
+		if (vsp1->info->version == VI6_IP_VERSION_MODEL_VSPX_GEN4)
+			vsp1_vspx_cleanup(vsp1);
+		else
+			vsp1_drm_cleanup(vsp1);
+	}
 }
 
 static int vsp1_create_entities(struct vsp1_device *vsp1)
-- 
cgit 1.3-korg

Vulnerability mechanics

Root cause

"Incorrect cleanup function is called during module unload for a specific hardware version."

Attack vector

When unloading the vsp1 module on a gen 4 hardware version, a NULL pointer dereference occurs. This is triggered by the module's cleanup routine incorrectly calling `vsp1_drm_cleanup()` instead of the appropriate `vsp1_vspx_cleanup()` function. This leads to a crash when the module is removed from the system.

Affected code

The vulnerability exists in the `vsp1_destroy_entities` function within the file `drivers/media/platform/renesas/vsp1/vsp1_drv.c`. The incorrect call to `vsp1_drm_cleanup()` occurs when `vsp1->info->uapi` is false.

What the fix does

The patch modifies the `vsp1_destroy_entities` function to correctly handle module unloading for different hardware versions. It introduces a check for the IP version, specifically `VI6_IP_VERSION_MODEL_VSPX_GEN4`. If this version is detected, `vsp1_vspx_cleanup()` is called; otherwise, `vsp1_drm_cleanup()` is invoked. This ensures the correct cleanup routine is executed, preventing the NULL pointer dereference.

Preconditions

  • configThe system must be running a version of the Linux kernel with the vsp1 driver enabled.
  • configThe hardware must be a gen 4 version (VI6_IP_VERSION_MODEL_VSPX_GEN4).

Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

2