HIGH
staging/media atomisp PrivateIOCTL Bypass
CVE-2026-46205
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Disallow all private IOCTLs Disallow all private IOCTLs. These aren't quite as safe as one could assume of IOCTL handlers; disable them for now. Instead of removing the code, return in the beginning of the function if cmd is non-zero in order to keep static checkers happy.
02KernelScan AI Analysis
Risk summary
Systems with Intel IPU v2 camera hardware running the atomisp staging driver are vulnerable to privilege escalation through unsafe private IOCTL handlers. Attackers with access to the video device can potentially achieve arbitrary kernel memory access, leading to privilege escalation or system compromise. The vulnerability is reachable only on platforms where the IPU is exposed via the internal PCIe interface.
Vulnerability analysis
The atomisp driver's private IOCTL handlers lack sufficient security validation, allowing potentially unsafe operations to be performed from userspace. The fix completely disables all private IOCTLs by adding an early return that rejects any non-zero command, indicating the underlying handlers were deemed too unsafe to repair individually. This affects local attackers who can access the video device, typically requiring membership in the video group or equivalent device access permissions.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.258 | 64e85679beaf |
| 5.15 | 5.15.209 | 8774f8cb661f |
| 6.1 | 6.1.175 | ceb1b5f910e5 |
| 6.12 | 6.12.90 | 6f1ce75a75c6 |
| 6.18 | 6.18.32 | c7848b67ef10 |
| 6.6 | 6.6.140 | 8c7a281a9922 |
| 7.0 | 7.0.9 | 6850a439f8d2 |
| mainline | 7.1-rc1 | 2b7eb2c5dc72 |