CVE-2026-43146 Overview
CVE-2026-43146 is a Linux kernel vulnerability in the iris media driver. The flaw resides in the internal buffer creation routine, where list_add_tail() was invoked before dma_alloc_attrs() completed successfully. When the Direct Memory Access (DMA) allocation failed, the function returned -ENOMEM while leaving a partially initialized buffer enqueued in buffers->list. This produced an inconsistent driver state and could lead to memory leaks or use of uninitialized buffer metadata by downstream consumers.
The issue has been resolved by reordering the operations so the buffer is added to the list only after a successful DMA allocation.
Critical Impact
A failed DMA allocation in the iris media driver leaves a partially initialized buffer in the active buffer list, creating inconsistent kernel state and potential resource leaks.
Affected Products
- Linux kernel — media: iris driver
- Stable kernel branches receiving the upstream fix commits 2d0bbd9, 45b30f6, and 98b4c4c
- Distributions packaging affected stable kernels prior to backport
Discovery Timeline
- 2026-05-06 - CVE-2026-43146 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43146
Vulnerability Analysis
The iris media driver allocates internal buffers used by the video pipeline. The original implementation called list_add_tail() to enqueue a newly created buffer object onto buffers->list before invoking dma_alloc_attrs() to back that buffer with a coherent DMA region.
When dma_alloc_attrs() failed under memory pressure, the function returned -ENOMEM. However, the partially initialized buffer remained linked in buffers->list. Subsequent code paths iterating that list would encounter a buffer with no backing DMA memory, producing inconsistent state and potential memory leaks of the buffer descriptor itself.
The fix moves list_add_tail() to execute only after dma_alloc_attrs() returns successfully. This guarantees the list contains only fully initialized entries. See the upstream fixes at Kernel Git Commit 2d0bbd9, Kernel Git Commit 45b30f6, and Kernel Git Commit 98b4c4c.
Root Cause
The root cause is improper ordering of resource registration relative to resource allocation. The driver published a buffer reference into a shared list before the resource it represented existed. On the failure path, no cleanup removed that reference, violating the invariant that buffers->list holds only valid buffers.
Attack Vector
This vulnerability is reachable only through the kernel internal control path that creates iris driver buffers. Triggering the failure requires inducing DMA allocation failure during buffer creation. The practical impact is reliability and resource consistency rather than direct remote exploitation. No public exploit exists, and the CVE is not listed in CISA KEV.
No verified exploit code is available. The vulnerability mechanism is described above based on the upstream commit message.
Detection Methods for CVE-2026-43146
Indicators of Compromise
- Kernel log entries reporting -ENOMEM returns from iris driver buffer creation paths
- Repeated DMA allocation failures correlated with growing iris driver memory usage
- Anomalous video pipeline initialization failures on systems using the Qualcomm iris video accelerator
Detection Strategies
- Audit kernel versions across the Linux fleet to identify hosts running unpatched stable branches that include the iris driver
- Monitor dmesg and journald output for iris subsystem error returns paired with memory pressure events
- Track kernel slab and DMA pool metrics over time to surface unexpected growth associated with the media subsystem
Monitoring Recommendations
- Centralize kernel logs from Linux endpoints and apply parsers that flag media driver allocation failures
- Alert on repeated -ENOMEM returns from media subsystems on production workloads using hardware video acceleration
- Include kernel package versions in configuration management inventories so missing backports are visible
How to Mitigate CVE-2026-43146
Immediate Actions Required
- Identify all Linux systems running kernels that include the iris media driver and verify kernel build versions
- Apply the stable kernel update that contains commits 2d0bbd9, 45b30f6, or 98b4c4c from your distribution vendor
- Reboot systems after updating to ensure the patched kernel is active
Patch Information
The fix has been merged into the upstream Linux stable tree across multiple branches. Reference the commits at Kernel Git Commit 2d0bbd9, Kernel Git Commit 45b30f6, and Kernel Git Commit 98b4c4c. Apply the kernel update provided by your Linux distribution maintainer.
Workarounds
- Disable or unload the iris media driver on systems that do not require Qualcomm hardware video acceleration
- Reduce memory pressure on affected hosts to lower the probability of triggering the failure path until patches are deployed
- Restrict workloads that exercise the video pipeline to patched kernels only
# Verify running kernel version and check for the iris module
uname -r
lsmod | grep -i iris
# Update kernel using your distribution package manager, e.g. on Debian/Ubuntu
sudo apt update && sudo apt upgrade linux-image-$(uname -r | cut -d- -f3-)
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
