CVE-2026-43256

/* * PoC for CVE-2026-43256 * This code demonstrates the logic flaw in the Linux kernel VFE driver. * It simulates the loop condition that causes the out-of-bounds access. * Note: Actual exploitation requires triggering the VFE interrupt on * vulnerable hardware. */ #include <stdio.h> #include <stdlib.h> // Definitions based on the vulnerable code #define MSM_VFE_IMAGE_MASTERS_NUM 7 #define VFE_LINE_NUM_MAX 4 struct vfe_line { int dummy; }; struct vfe_device { struct vfe_line line[VFE_LINE_NUM_MAX]; }; // Simulated vulnerable function void vfe_isr_reg_update(struct vfe_device *vfe, int line_id) { printf("Accessing line index: %d\n", line_id); // This access is out of bounds when line_id >= 4 // In the kernel, this corrupts memory. int x = vfe->line[line_id].dummy; } // Simulated interrupt handler void vfe_isr(struct vfe_device *vfe) { // Vulnerability: Loop bound is larger than the array size for (int i = 0; i < MSM_VFE_IMAGE_MASTERS_NUM; i++) { vfe_isr_reg_update(vfe, i); } } int main() { struct vfe_device *vfe = malloc(sizeof(struct vfe_device)); printf("Triggering vulnerable logic...\n"); vfe_isr(vfe); free(vfe); return 0; }

{"cve": {"id": "CVE-2026-43256", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:46.397", "lastModified": "2026-05-11T18:16:48.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()\n\nvfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop\nbound and passes the index to vfe_isr_reg_update(). However,\nvfe->line[] array is defined with VFE_LINE_NUM_MAX(4):\n\n struct vfe_line line[VFE_LINE_NUM_MAX];\n\nWhen index is 4, 5, 6, the access to vfe->line[line_id] exceeds\nthe array bounds and resulting in out-of-bounds memory access.\n\nFix this by using separate loops for output lines and write masters."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.18", "versionEndExcluding": "6.1.167", "matchCriteriaId": "25D24035-467E-4E84-987E-DA8067ECEAC4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.6.128", "matchCriteriaId": "851E9353-6C09-4CC9-877E-E09DB164A3C2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/0c074e80921fd18984b75836730d76c768c84f65", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1b103307df6d461a0731be25aca69ad0335b0933", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/d965919af524e68cb2ab1a685872050ad2ee933d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e6cbf765686fb6c1d8f2530b3daf6c66efc92f5d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e7a38ecda2498e7ce998793ac2a46ca47317635d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fade67c88870f497a13ed450ba01f7236c92dd9b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}