Improper resource shutdown or release in Linux kernel - CVE-2026-43247
Published: May 7, 2026
Vulnerability identifier: #VU130465
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-43247
CWE-ID: CWE-404
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to improper power state management in the wave5 video decoder driver when queuing video buffers through the V4L2 ioctl interface after an autosuspend timeout triggers suspend mode. A local user can send crafted ioctl requests to trigger a kernel panic and cause a denial of service.
The issue was observed as an asynchronous SError interrupt leading to a kernel panic during decoder buffer queue operations.
How to mitigate CVE-2026-43247
Install security update from vendor's repository.