HIGH
media/qcom VFE OOB
CVE-2026-43256
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.6MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update() vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4): struct vfe_line line[VFE_LINE_NUM_MAX]; When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access. Fix this by using separate loops for output lines and write masters.
02KernelScan AI Analysis
Risk summary
Local attackers with access to the Qualcomm CAMSS VFE camera device can trigger an out-of-bounds access in the VFE interrupt handler. The bug causes a constrained out-of-bounds read and write at fixed offsets beyond the vfe->line[] array, leading to potential disclosure of kernel pointers, limited kernel memory corruption, or system crash on devices with Qualcomm Titan 480 VFE hardware.
Vulnerability analysis
The flaw exists in vfe_isr() in camss-vfe-480.c, which loops up to MSM_VFE_IMAGE_MASTERS_NUM (7) and passes the index to vfe_isr_reg_update(). Because the vfe->line[] array only contains VFE_LINE_NUM_MAX (4) entries, indices 4, 5, and 6 cause an out-of-bounds access. The access is a fixed-offset read/write against adjacent memory within the kernel heap object. The fix introduces separate loops: one bounded by MAX_VFE_OUTPUT_LINES for line array access, and another bounded by MSM_VFE_IMAGE_MASTERS_NUM for write master completion events. Exploitation requires local access to the V4L2 video device exposed by the driver.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.1 | 6.1.167 | e6cbf765686f |
| 6.12 | 6.12.75 | 1b103307df6d |
| 6.18 | 6.18.16 | fade67c88870 |
| 6.19 | 6.19.6 | e7a38ecda249 |
| 6.6 | 6.6.128 | 0c074e80921f |
| mainline | 7.0 | d965919af524 |