CVE-2026-43256 PUBLISHED

media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

Assigner: Linux
Reserved: 01.05.2026 Published: 06.05.2026 Updated: 06.05.2026

In the Linux kernel, the following vulnerability has been resolved:

media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

vfe_isr() iterates using MSM_VFE_IMAGE_MASTERS_NUM(7) as the loop bound and passes the index to vfe_isr_reg_update(). However, vfe->line[] array is defined with VFE_LINE_NUM_MAX(4):

<pre>struct vfe_line line[VFE_LINE_NUM_MAX]; </pre>

When index is 4, 5, 6, the access to vfe->line[line_id] exceeds the array bounds and resulting in out-of-bounds memory access.

Fix this by using separate loops for output lines and write masters.

Product Status

Vendor Linux
Product Linux
Versions Default: unaffected
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to e6cbf765686fb6c1d8f2530b3daf6c66efc92f5d (excl.)
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to 0c074e80921fd18984b75836730d76c768c84f65 (excl.)
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to 1b103307df6d461a0731be25aca69ad0335b0933 (excl.)
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to fade67c88870f497a13ed450ba01f7236c92dd9b (excl.)
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to e7a38ecda2498e7ce998793ac2a46ca47317635d (excl.)
  • affected from 4edc8eae715cecf5f8bf12a0c77c281f336c37db to d965919af524e68cb2ab1a685872050ad2ee933d (excl.)
Vendor Linux
Product Linux
Versions Default: affected
  • Version 5.18 is affected
  • unaffected from 0 to 5.18 (excl.)
  • unaffected from 6.1.167 to 6.1.* (incl.)
  • unaffected from 6.6.128 to 6.6.* (incl.)
  • unaffected from 6.12.75 to 6.12.* (incl.)
  • unaffected from 6.18.16 to 6.18.* (incl.)
  • unaffected from 6.19.6 to 6.19.* (incl.)
  • unaffected from 7.0 to * (incl.)

References