CVE-2026-43229 (GCVE-0-2026-43229)

Vulnerability from cvelistv5 – Published: 2026-05-06 11:28 – Updated: 2026-05-06 11:28
VLAI?
Title
media: chips-media: wave5: Fix device cleanup order to prevent kernel panic
Summary
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix device cleanup order to prevent kernel panic Move video device unregistration to the beginning of the remove function to ensure all video operations are stopped before cleaning up the worker thread and disabling PM runtime. This prevents hardware register access after the device has been powered down. In polling mode, the hrtimer periodically triggers wave5_vpu_timer_callback() which queues work to the kthread worker. The worker executes wave5_vpu_irq_work_fn() which reads hardware registers via wave5_vdi_read_register(). The original cleanup order disabled PM runtime and powered down hardware before unregistering video devices. When autosuspend triggers and powers off the hardware, the video devices are still registered and the worker thread can still be triggered by the hrtimer, causing it to attempt reading registers from powered-off hardware. This results in a bus error (synchronous external abort) and kernel panic. This causes random kernel panics during encoding operations: Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Modules linked in: wave5 rpmsg_ctrl rpmsg_char ... CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread Tainted: G M W pc : wave5_vdi_read_register+0x10/0x38 [wave5] lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5] Call trace: wave5_vdi_read_register+0x10/0x38 [wave5] kthread_worker_fn+0xd8/0x238 kthread+0x104/0x120 ret_from_fork+0x10/0x20 Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000) ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: synchronous external abort: Fatal exception
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < b73d85231d5b1400a4fa5046cdac6c4d7cc6d969 (git)
Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < 526816f2e331954d80fed8b37fa94efbbdde2b8d (git)
Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f (git)
Affected: 9707a6254a8a6b978bde811a44fe07d86c229d1c , < b74cedac643b02aefa7da881b58a3792859d9748 (git)
Create a notification for this product.
    Linux Linux Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.75 , ≤ 6.12.* (semver)
Unaffected: 6.18.16 , ≤ 6.18.* (semver)
Unaffected: 6.19.6 , ≤ 6.19.* (semver)
Unaffected: 7.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/chips-media/wave5/wave5-vpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b73d85231d5b1400a4fa5046cdac6c4d7cc6d969",
              "status": "affected",
              "version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
              "versionType": "git"
            },
            {
              "lessThan": "526816f2e331954d80fed8b37fa94efbbdde2b8d",
              "status": "affected",
              "version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
              "versionType": "git"
            },
            {
              "lessThan": "dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f",
              "status": "affected",
              "version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
              "versionType": "git"
            },
            {
              "lessThan": "b74cedac643b02aefa7da881b58a3792859d9748",
              "status": "affected",
              "version": "9707a6254a8a6b978bde811a44fe07d86c229d1c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/chips-media/wave5/wave5-vpu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.18.*",
              "status": "unaffected",
              "version": "6.18.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.19.*",
              "status": "unaffected",
              "version": "6.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "7.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.75",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.18.16",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.19.6",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.0",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n  Internal error: synchronous external abort: 0000000096000010\n    [#1] PREEMPT SMP\n  Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n  CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n    Tainted: G   M    W\n  pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n  lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n  Call trace:\n   wave5_vdi_read_register+0x10/0x38 [wave5]\n   kthread_worker_fn+0xd8/0x238\n   kthread+0x104/0x120\n   ret_from_fork+0x10/0x20\n  Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: synchronous external abort:\n    Fatal exception"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-06T11:28:26.951Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969"
        },
        {
          "url": "https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748"
        }
      ],
      "title": "media: chips-media: wave5: Fix device cleanup order to prevent kernel panic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2026-43229",
    "datePublished": "2026-05-06T11:28:26.951Z",
    "dateReserved": "2026-05-01T14:12:55.994Z",
    "dateUpdated": "2026-05-06T11:28:26.951Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43229",
      "date": "2026-05-09",
      "epss": "0.00012",
      "percentile": "0.01584"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43229\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2026-05-06T12:16:42.830\",\"lastModified\":\"2026-05-08T21:08:53.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\\n\\nMove video device unregistration to the beginning of the remove function\\nto ensure all video operations are stopped before cleaning up the worker\\nthread and disabling PM runtime. This prevents hardware register access\\nafter the device has been powered down.\\n\\nIn polling mode, the hrtimer periodically triggers\\nwave5_vpu_timer_callback() which queues work to the kthread worker.\\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\\nregisters via wave5_vdi_read_register().\\n\\nThe original cleanup order disabled PM runtime and powered down hardware\\nbefore unregistering video devices. When autosuspend triggers and powers\\noff the hardware, the video devices are still registered and the worker\\nthread can still be triggered by the hrtimer, causing it to attempt\\nreading registers from powered-off hardware. This results in a bus error\\n(synchronous external abort) and kernel panic.\\n\\nThis causes random kernel panics during encoding operations:\\n\\n  Internal error: synchronous external abort: 0000000096000010\\n    [#1] PREEMPT SMP\\n  Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\\n  CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\\n    Tainted: G   M    W\\n  pc : wave5_vdi_read_register+0x10/0x38 [wave5]\\n  lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\\n  Call trace:\\n   wave5_vdi_read_register+0x10/0x38 [wave5]\\n   kthread_worker_fn+0xd8/0x238\\n   kthread+0x104/0x120\\n   ret_from_fork+0x10/0x20\\n  Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\\n  ---[ end trace 0000000000000000 ]---\\n  Kernel panic - not syncing: synchronous external abort:\\n    Fatal exception\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.8\",\"versionEndExcluding\":\"6.12.75\",\"matchCriteriaId\":\"4A94C3E7-EF78-4AF2-8160-DDF77E97D5EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.13\",\"versionEndExcluding\":\"6.18.16\",\"matchCriteriaId\":\"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.19\",\"versionEndExcluding\":\"6.19.6\",\"matchCriteriaId\":\"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.