{"api_version":"1","generated_at":"2026-05-13T07:40:28+00:00","cve":"CVE-2026-43229","urls":{"html":"https://cve.report/CVE-2026-43229","api":"https://cve.report/api/cve/CVE-2026-43229.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-43229","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-43229"},"summary":{"title":"media: chips-media: wave5: Fix device cleanup order to prevent kernel panic","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n  Internal error: synchronous external abort: 0000000096000010\n    [#1] PREEMPT SMP\n  Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n  CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n    Tainted: G   M    W\n  pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n  lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n  Call trace:\n   wave5_vdi_read_register+0x10/0x38 [wave5]\n   kthread_worker_fn+0xd8/0x238\n   kthread+0x104/0x120\n   ret_from_fork+0x10/0x20\n  Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: synchronous external abort:\n    Fatal exception","state":"PUBLISHED","assigner":"Linux","published_at":"2026-05-06 12:16:42","updated_at":"2026-05-08 21:08:53"},"problem_types":["NVD-CWE-noinfo"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"5.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}}],"references":[{"url":"https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969","name":"https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d","name":"https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748","name":"https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f","name":"https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":["Patch"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-43229","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43229","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9707a6254a8a6b978bde811a44fe07d86c229d1c b73d85231d5b1400a4fa5046cdac6c4d7cc6d969 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9707a6254a8a6b978bde811a44fe07d86c229d1c 526816f2e331954d80fed8b37fa94efbbdde2b8d git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9707a6254a8a6b978bde811a44fe07d86c229d1c dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 9707a6254a8a6b978bde811a44fe07d86c229d1c b74cedac643b02aefa7da881b58a3792859d9748 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 6.8","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.8 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.75 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.16 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.19.6 6.19.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"43229","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"linux","cpe5":"linux_kernel","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["drivers/media/platform/chips-media/wave5/wave5-vpu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"b73d85231d5b1400a4fa5046cdac6c4d7cc6d969","status":"affected","version":"9707a6254a8a6b978bde811a44fe07d86c229d1c","versionType":"git"},{"lessThan":"526816f2e331954d80fed8b37fa94efbbdde2b8d","status":"affected","version":"9707a6254a8a6b978bde811a44fe07d86c229d1c","versionType":"git"},{"lessThan":"dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f","status":"affected","version":"9707a6254a8a6b978bde811a44fe07d86c229d1c","versionType":"git"},{"lessThan":"b74cedac643b02aefa7da881b58a3792859d9748","status":"affected","version":"9707a6254a8a6b978bde811a44fe07d86c229d1c","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["drivers/media/platform/chips-media/wave5/wave5-vpu.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"6.8"},{"lessThan":"6.8","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.75","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.16","versionType":"semver"},{"lessThanOrEqual":"6.19.*","status":"unaffected","version":"6.19.6","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.0","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.75","versionStartIncluding":"6.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.16","versionStartIncluding":"6.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.19.6","versionStartIncluding":"6.8","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0","versionStartIncluding":"6.8","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n  Internal error: synchronous external abort: 0000000096000010\n    [#1] PREEMPT SMP\n  Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n  CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n    Tainted: G   M    W\n  pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n  lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n  Call trace:\n   wave5_vdi_read_register+0x10/0x38 [wave5]\n   kthread_worker_fn+0xd8/0x238\n   kthread+0x104/0x120\n   ret_from_fork+0x10/0x20\n  Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: synchronous external abort:\n    Fatal exception"}],"providerMetadata":{"dateUpdated":"2026-05-06T11:28:26.951Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/b73d85231d5b1400a4fa5046cdac6c4d7cc6d969"},{"url":"https://git.kernel.org/stable/c/526816f2e331954d80fed8b37fa94efbbdde2b8d"},{"url":"https://git.kernel.org/stable/c/dc2b7deae740a3ed138fb7ae17c97fa4055cfc5f"},{"url":"https://git.kernel.org/stable/c/b74cedac643b02aefa7da881b58a3792859d9748"}],"title":"media: chips-media: wave5: Fix device cleanup order to prevent kernel panic","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-43229","datePublished":"2026-05-06T11:28:26.951Z","dateReserved":"2026-05-01T14:12:55.994Z","dateUpdated":"2026-05-06T11:28:26.951Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-06 12:16:42","lastModifiedDate":"2026-05-08 21:08:53","problem_types":["NVD-CWE-noinfo"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":3.6}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.8","versionEndExcluding":"6.12.75","matchCriteriaId":"4A94C3E7-EF78-4AF2-8160-DDF77E97D5EE"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.13","versionEndExcluding":"6.18.16","matchCriteriaId":"B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.19","versionEndExcluding":"6.19.6","matchCriteriaId":"373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"43229","Ordinal":"1","Title":"media: chips-media: wave5: Fix device cleanup order to prevent k","CVE":"CVE-2026-43229","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"43229","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: chips-media: wave5: Fix device cleanup order to prevent kernel panic\n\nMove video device unregistration to the beginning of the remove function\nto ensure all video operations are stopped before cleaning up the worker\nthread and disabling PM runtime. This prevents hardware register access\nafter the device has been powered down.\n\nIn polling mode, the hrtimer periodically triggers\nwave5_vpu_timer_callback() which queues work to the kthread worker.\nThe worker executes wave5_vpu_irq_work_fn() which reads hardware\nregisters via wave5_vdi_read_register().\n\nThe original cleanup order disabled PM runtime and powered down hardware\nbefore unregistering video devices. When autosuspend triggers and powers\noff the hardware, the video devices are still registered and the worker\nthread can still be triggered by the hrtimer, causing it to attempt\nreading registers from powered-off hardware. This results in a bus error\n(synchronous external abort) and kernel panic.\n\nThis causes random kernel panics during encoding operations:\n\n  Internal error: synchronous external abort: 0000000096000010\n    [#1] PREEMPT SMP\n  Modules linked in: wave5 rpmsg_ctrl rpmsg_char ...\n  CPU: 0 UID: 0 PID: 1520 Comm: vpu_irq_thread\n    Tainted: G   M    W\n  pc : wave5_vdi_read_register+0x10/0x38 [wave5]\n  lr : wave5_vpu_irq_work_fn+0x28/0x60 [wave5]\n  Call trace:\n   wave5_vdi_read_register+0x10/0x38 [wave5]\n   kthread_worker_fn+0xd8/0x238\n   kthread+0x104/0x120\n   ret_from_fork+0x10/0x20\n  Code: aa1e03e9 d503201f f9416800 8b214000 (b9400000)\n  ---[ end trace 0000000000000000 ]---\n  Kernel panic - not syncing: synchronous external abort:\n    Fatal exception","Type":"Description","Title":"media: chips-media: wave5: Fix device cleanup order to prevent k"}]}}}