CVE-2026-43189

EUVD-2026-27751
In the Linux kernel, the following vulnerability has been resolved:

media: v4l2-async: Fix error handling on steps after finding a match

Once an async connection is found to be matching with an fwnode, a
sub-device may be registered (in case it wasn't already), its bound
operation is called, ancillary links are created, the async connection
is added to the sub-device's list of connections and removed from the
global waiting connection list. Further on, the sub-device's possible own
notifier is searched for possible additional matches.

Fix these specific issues:

- If v4l2_async_match_notify() failed before the sub-notifier handling,
  the async connection was unbound and its entry removed from the
  sub-device's async connection list. The latter part was also done in
  v4l2_async_match_notify().

- The async connection's sd field was only set after creating ancillary
  links in v4l2_async_match_notify(). It was however dereferenced in
  v4l2_async_unbind_subdev_one(), which was called on error path of
  v4l2_async_match_notify() failure.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
linux
bookworm
6.1.159-1
fixed
bookworm (security)
6.1.170-1
fixed
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.251-4
fixed
forky
6.19.14-1
fixed
sid
7.0.4-1
fixed
trixie
vulnerable
trixie (security)
6.12.86-1
fixed
Vulnerability Media Exposure
References
https://git.kernel.org/stable/c/2de0a3c8148fc3dbea21981e6569f550b3626119
https://git.kernel.org/stable/c/30aaed311f973f13ba13a0cd2dc0202f595fff48
https://git.kernel.org/stable/c/461733d83e67ba7e3a5b750c0d203f738e01244f
https://git.kernel.org/stable/c/7345d6d356336c448d6b9230ed8704f39679fd12
https://git.kernel.org/stable/c/b02bcb378efa8af07827f49b3afcc5e825318c55