HIGH
media UVC BufferLeak
CVE-2026-43290
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI4.0MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120
02KernelScan AI Analysis
Risk summary
USB camera devices may leak video buffers when streaming fails to start due to power management errors. This causes kernel warnings and potential resource exhaustion but does not lead to crashes or privilege escalation.
Vulnerability analysis
The bug occurs in uvc_start_streaming_video() when uvc_pm_get() fails - the function returns early without calling uvc_queue_return_buffers() to properly clean up queued video buffers. This was introduced when removing the is_streaming field and transitioning to vb2 helpers. The fix adds proper error handling with goto labels to ensure buffers are always returned on any failure path. Attack surface is local USB camera access without special privileges.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.16 | 69c32df23bed |
| 6.19 | 6.19.6 | a5c01f15809d |
| mainline | 7.0 | 4cf3b6fd54eb |