HIGH
media mtk-mdp VPU Deref
CVE-2026-43207
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.4MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: media: mtk-mdp: Fix error handling in probe function Add mtk_mdp_unregister_m2m_device() on the error handling path to prevent resource leak. Add check for the return value of vpu_get_plat_device() to prevent null pointer dereference. And vpu_get_plat_device() increases the reference count of the returned platform device. Add platform_device_put() to prevent reference leak.
02KernelScan AI Analysis
Risk summary
Users with root privileges can trigger a NULL pointer dereference in the MediaTek MDP driver during device probe, causing a kernel panic and system crash. This affects systems with MediaTek MT8173 SoCs that have the MDP (Media Data Path) hardware acceleration enabled.
Vulnerability analysis
The vulnerability occurs in the mtk_mdp_probe() function where vpu_get_plat_device() can return NULL, but the code proceeds to use the returned pointer without validation. The original code also has resource leaks in error paths - it fails to call mtk_mdp_unregister_m2m_device() and platform_device_put() when errors occur after successful resource allocation. The fix adds proper NULL checking for the VPU device pointer and implements correct error handling with proper resource cleanup using goto labels to unwind allocations in reverse order. The probe function is only called during driver initialization, which requires root privileges (module loading or device tree manipulation).
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.252 | 9d9c67976eda |
| 5.15 | 5.15.202 | 0bc43eaf0213 |
| 6.1 | 6.1.165 | 9d7962d5c81d |
| 6.12 | 6.12.75 | c8737d33d4e8 |
| 6.18 | 6.18.16 | b3fc99fe5b25 |
| 6.19 | 6.19.6 | 2e8f53a73829 |
| 6.6 | 6.6.128 | 12cafc15d246 |
| mainline | 7.0 | 8a8a3232abac |