CVE-2026-43300

// Simulated PoC for CVE-2026-43300 // This demonstrates the logic flaw in jdi_panel_dsi_remove() #include <stdio.h> #include <stdlib.h> struct jdi_panel { int base; void *backlight; }; void jdi_panel_disable(struct jdi_panel *jdi) { // This line causes the crash if jdi is NULL printf("Disabling backlight at %p\n", jdi->backlight); } void jdi_panel_dsi_remove(struct jdi_panel *jdi) { if (!jdi) { printf("jdi is NULL, detaching DSI...\n"); // Buggy code: does not return here } // Continues even if jdi is NULL jdi_panel_disable(jdi); } int main() { printf("Triggering CVE-2026-43300 logic...\n"); jdi_panel_dsi_remove(NULL); return 0; }

{"cve": {"id": "CVE-2026-43300", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2026-05-08T14:16:37.223", "lastModified": "2026-05-15T14:04:19.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/panel: Fix a possible null-pointer dereference in jdi_panel_dsi_remove()\n\nIn jdi_panel_dsi_remove(), jdi is explicitly checked, indicating that it\nmay be NULL:\n\n if (!jdi)\n mipi_dsi_detach(dsi);\n\nHowever, when jdi is NULL, the function does not return and continues by\ncalling jdi_panel_disable():\n\n err = jdi_panel_disable(&jdi->base);\n\nInside jdi_panel_disable(), jdi is dereferenced unconditionally, which can\nlead to a NULL-pointer dereference:\n\n struct jdi_panel *jdi = to_panel_jdi(panel);\n backlight_disable(jdi->backlight);\n\nTo prevent such a potential NULL-pointer dereference, return early from\njdi_panel_dsi_remove() when jdi is NULL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.7", "versionEndExcluding": "6.12.75", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.13", "versionEndExcluding": "6.18.16", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.19", "versionEndExcluding": "6.19.6", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/2f5427d8726b22b807beec248d7d6bf88e291e0b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/83ce0085fabf757b039322928188ad78e962d609", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/95eed73b871111123a8b1d31cb1fce7e902e49ea", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ec2f37bbb733cdd7ed7d04171fca728a532414d5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}