HIGH
media/wave5 VpuInstance Deref
CVE-2026-43263
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.5MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix Null reference while testing fluster When multi instances are created/destroyed, many interrupts happens and structures for decoder are removed. "struct vpu_instance" this structure is shared for all flow in the decoder, so if the structure is not protected by lock, Null dereference could happens sometimes. IRQ Handler was spilt to two phases and Lock was added as well.
02KernelScan AI Analysis
Risk summary
Local users with access to Wave5 VPU hardware can trigger a NULL pointer dereference by creating and destroying multiple decoder instances concurrently under specific timing conditions. This causes a kernel panic, resulting in system-wide denial of service. The vulnerability affects systems with Chips&Media Wave5 video processing units.
Vulnerability analysis
The root cause is a race condition in the Wave5 VPU driver where the shared struct vpu_instance can be freed while still being accessed by interrupt handlers during concurrent instance creation/destruction. The IRQ handler iterates over instance structures from a global list without adequate synchronization, leading to NULL pointer dereferences when instances are removed mid-iteration. The fix splits the IRQ handler into two phases with proper locking: a spin-locked hardirq phase for queuing interrupt reasons via a per-instance kfifo, and a mutex-protected irq_thread for processing, ensuring the instance list is protected during release.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | ea316b784fe6 |
| 6.19 | 6.19.6 | d12bcf183ec7 |
| mainline | 7.0 | e66ff2b08e4e |