CVE-2026-43142 Overview
CVE-2026-43142 is a memory leak vulnerability in the Linux kernel's iris gen1 media driver. The driver failed to destroy internal buffers after the firmware released them, leaving stale allocations that persisted until session close. The issue is most pronounced across resolution changes, where new buffers are allocated to meet updated requirements while old buffers remain orphaned in memory. The Linux kernel maintainers have resolved the issue by destroying internal buffers once the release response is received from the firmware.
Critical Impact
Stale buffer allocations in the iris gen1 media driver waste kernel memory across video session lifetimes, particularly during resolution transitions.
Affected Products
- Linux kernel iris gen1 media driver
- Stable kernel branches referenced in upstream commits 1dabf00ee206, 7cde76db8883, and d4457f23ac01
- Distributions packaging affected kernel versions prior to backport
Discovery Timeline
- 2026-05-06 - CVE-2026-43142 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43142
Vulnerability Analysis
The vulnerability resides in the iris gen1 video codec driver under the Linux kernel media subsystem. The driver coordinates internal buffer allocations with firmware running on the hardware codec. When the firmware signals that it has released its internal buffers, the driver is expected to free the corresponding kernel-side allocations. The pre-patch driver did not perform this teardown, leaving allocations resident in memory after they were no longer referenced by either the firmware or the active session state.
During video sessions, resolution changes trigger reallocation of internal buffers sized to the new dimensions. Each transition compounds the leak because newly allocated buffers coexist with stale ones from prior resolutions. Memory is reclaimed only when the session closes, which can be a long-running operation in streaming or transcoding workloads.
The EPSS score for this issue is 0.017%, reflecting low likelihood of weaponized exploitation. The classification falls under Memory Leak in the broader category of resource management defects.
Root Cause
The root cause is missing buffer destruction logic in the firmware release response handler. The driver acknowledged the firmware release event but did not invoke the cleanup path that frees the associated kernel buffer descriptors and backing memory.
Attack Vector
The vulnerability is a local resource exhaustion issue rather than a remote code execution vector. A local user with access to the iris media device can trigger sustained memory consumption by initiating video sessions with frequent resolution changes. There is no published exploit, no CISA KEV listing, and no evidence of in-the-wild exploitation.
The vulnerability manifests in the firmware buffer release callback path. See the upstream kernel commits referenced in the Kernel Git Commit Details for the exact code paths modified.
Detection Methods for CVE-2026-43142
Indicators of Compromise
- Sustained growth of kernel slab allocations attributable to the iris driver across long-running media sessions
- Increased kmalloc consumption correlating with resolution change events in video pipelines
- Out-of-memory conditions on systems running iris gen1 media workloads without recent kernel updates
Detection Strategies
- Audit running kernel versions against the patched commits 1dabf00ee206, 7cde76db8883, and d4457f23ac01 to identify unpatched hosts
- Monitor /proc/slabinfo and /proc/meminfo for unexplained growth on systems exercising the iris media driver
- Use ftrace or perf to trace allocations in the iris buffer release path during resolution change events
Monitoring Recommendations
- Track kernel memory baselines on devices using Qualcomm iris-class video codecs and alert on deviations
- Correlate user-space media session activity with kernel memory pressure metrics
- Include kernel version inventory in vulnerability management reporting to surface unpatched hosts
How to Mitigate CVE-2026-43142
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 1dabf00ee206eceb0f08a1fe5d1ce635f9064338, 7cde76db8883ec8a3d1456068079ecadbfb15ca5, and d4457f23ac0130240053a34be663f0fade3bb371
- Update to a distribution kernel package that incorporates the fix once released by the vendor
- Inventory devices using the iris gen1 media driver and prioritize kernel updates on systems running long-lived video workloads
Patch Information
The fix destroys internal buffers in the firmware release response handler, ensuring kernel-side allocations are freed when the firmware signals release. Refer to the Kernel Git Commit Details for the patch implementation.
Workarounds
- Restart media sessions periodically to force buffer reclamation on unpatched kernels
- Limit workloads that perform frequent resolution changes on affected systems until the patch is deployed
- Restrict access to the iris media device to trusted local users to reduce the attack surface for resource exhaustion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
