HIGH
media/verisilicon TileInfo Overflow
CVE-2026-43222
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.7HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: AV1: Fix tile info buffer size Each tile info is composed of: row_sb, col_sb, start_pos and end_pos (4 bytes each). So the total required memory is AV1_MAX_TILES * 16 bytes. Use the correct #define to allocate the buffer and avoid writing tile info in non-allocated memory.
02KernelScan AI Analysis
Risk summary
Local users with media device access can trigger a heap buffer overflow in the Rockchip VPU981 AV1 decoder by providing malformed video streams with tile information. This can lead to kernel memory corruption, information disclosure, and system crashes.
Vulnerability analysis
The vulnerability stems from incorrect buffer size calculation in the AV1 tile info allocation. The code allocated memory using AV1_MAX_TILES instead of AV1_TILE_INFO_SIZE, under-allocating the buffer since each tile requires 16 bytes (4 fields × 4 bytes each). When processing AV1 streams with tile data, the driver writes beyond the allocated buffer boundaries, causing heap corruption. The fix corrects both the allocation size and stored size field to use the proper AV1_TILE_INFO_SIZE constant. This is locally exploitable through the V4L2 media interface on systems with Rockchip VPU981 hardware.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.75 | 34f36f9c6114 |
| 6.18 | 6.18.16 | f122f2b3ce9d |
| 6.19 | 6.19.6 | 74abfadd7ef5 |
| 6.6 | 6.6.128 | a5b1ddbe31f4 |
| mainline | 7.0 | a505ca2db89a |