CVE-2026-43217 Overview
CVE-2026-43217 is a Linux kernel vulnerability in the iris gen2 media driver. The flaw resides in the session stop path of the Qualcomm Iris video codec driver. When iris_kill_session runs, it sets inst->state to IRIS_INST_ERROR and calls session_close, which frees inst_hfi_gen2->packet via kfree. A subsequent stop_streaming call then dereferences the freed pointer when sending a STOP packet to firmware, causing a kernel crash. The upstream fix introduces a NULL check on inst_hfi_gen2->packet before issuing the STOP packet to firmware.
Critical Impact
Local users with access to the iris media device can trigger a kernel crash through a use-after-free condition in the session stop sequence, resulting in denial of service.
Affected Products
- Linux kernel versions containing the iris gen2 media driver (drivers/media/platform/qcom/iris)
- Distributions shipping affected kernel revisions prior to the upstream fix
- Qualcomm SoC platforms exposing the Iris video codec hardware
Discovery Timeline
- 2026-05-06 - CVE-2026-43217 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43217
Vulnerability Analysis
The vulnerability is a use-after-free condition in the Qualcomm Iris gen2 video codec driver inside the Linux kernel media subsystem. The driver manages firmware sessions for hardware-accelerated video decode and encode operations. Each session maintains a host-firmware interface (HFI) packet buffer referenced by inst_hfi_gen2->packet and used to construct command messages dispatched to firmware.
When the kernel invokes iris_kill_session, the driver transitions the instance state to IRIS_INST_ERROR and calls session_close. That cleanup path releases the HFI packet buffer with kfree, but does not clear or invalidate the surrounding instance pointers. If the V4L2 layer subsequently calls stop_streaming on the same instance, the driver attempts to build and send a STOP command using the already-freed inst_hfi_gen2->packet allocation, dereferencing freed kernel memory.
Root Cause
The root cause is missing state validation between the error-path teardown in iris_kill_session and the streaming teardown path. The driver assumes inst_hfi_gen2->packet remains valid for the lifetime of the streaming session, but the error-handling routine releases the buffer without coordinating with later stop_streaming callbacks. This is a use-after-free defect rooted in inconsistent ownership semantics for the HFI packet allocation.
Attack Vector
A local attacker with permission to open the affected V4L2 device node can drive the instance into the IRIS_INST_ERROR state and then trigger a stop_streaming operation. The race or sequencing between session kill and stream stop dereferences a freed pointer in kernel context. The most reliable outcome is a kernel oops or panic, producing denial of service. Exploitation for memory corruption depends on heap layout and slab reuse, which are not demonstrated in the available references.
The upstream fix adds a NULL check on inst_hfi_gen2->packet before sending the STOP packet to firmware. See the kernel commits 72846441, 75992ba4, and 9aa8d63d for the verified patch content.
Detection Methods for CVE-2026-43217
Indicators of Compromise
- Kernel oops or panic traces referencing iris_hfi_gen2, session_close, or stop_streaming in the call stack
- KASAN reports flagging use-after-free on allocations from the iris driver packet slab
- Repeated unexpected restarts of processes using /dev/video* nodes backed by the Qualcomm Iris driver
Detection Strategies
- Monitor dmesg and journald logs for BUG: KASAN: use-after-free or general protection fault entries originating in the iris media driver
- Audit running kernel versions across Qualcomm-based Linux fleets and compare against the patched stable releases referenced in the kernel.org commits
- Track unexpected v4l2 device crashes or driver resets correlated with non-root processes opening media devices
Monitoring Recommendations
- Centralize kernel logs and alert on stack traces containing iris_kill_session, session_close, or stop_streaming symbols
- Track /dev/video* access patterns and process crashes on devices using the Qualcomm Iris codec
- Apply kernel runtime hardening such as KASAN in test environments to surface latent use-after-free conditions before deployment
How to Mitigate CVE-2026-43217
Immediate Actions Required
- Update affected systems to a Linux kernel build that includes commits 72846441, 75992ba4, and 9aa8d63d
- Inventory Qualcomm SoC devices running Linux and confirm whether the iris gen2 driver is loaded
- Restrict access to V4L2 media device nodes to trusted users and services through standard Unix permissions and udev rules
Patch Information
The upstream fix adds a NULL check for inst_hfi_gen2->packet before sending the STOP packet to firmware in the iris gen2 driver. The patch is available in the mainline and stable trees through the Linux Kernel commits referenced above. Distribution kernels should pick up the fix in their next stable kernel rebase. Verify the running kernel version with uname -r and confirm the package metadata includes the corresponding stable release.
Workarounds
- Unload the iris kernel module on systems where hardware video acceleration is not required
- Limit access to /dev/video* device nodes by tightening group membership and udev rules
- Avoid forcing the iris driver into the IRIS_INST_ERROR state in custom userspace media pipelines until the patch is deployed
# Configuration example: verify kernel version and restrict device access
uname -r
lsmod | grep -i iris
# Restrict /dev/video* access to the video group only
sudo chgrp video /dev/video*
sudo chmod 660 /dev/video*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
