CVE-2026-43247 Overview
CVE-2026-43247 is a Linux kernel vulnerability in the chips-media: wave5 video decoder driver. The flaw triggers an asynchronous SError interrupt that results in a kernel panic when the device closes. The root cause is the driver entering suspend mode after the autosuspend delay timeout, while userspace operations against the decoder are still in flight. The panic was observed in wave5_dec_clr_disp_flag during fluster conformance testing on a Texas Instruments J721S2 EVM running kernel 6.12.9. The issue affects systems using the Chips&Media WAVE5 VPU driver for hardware-accelerated video decoding.
Critical Impact
Local userspace activity against the wave5 V4L2 decoder can trigger an Asynchronous SError Interrupt and unrecoverable kernel panic, causing a denial-of-service condition on affected ARM64 systems.
Affected Products
- Linux kernel media/chips-media/wave5 driver
- ARM64 platforms using Chips&Media WAVE5 VPU (e.g., Texas Instruments J721S2)
- Kernel version 6.12.9 confirmed in the panic trace
Discovery Timeline
- 2026-05-06 - CVE-2026-43247 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43247
Vulnerability Analysis
The defect resides in the WAVE5 V4L2 decoder driver path used during buffer queue and display-flag clearing. When wave5_vpu_dec_buf_queue calls wave5_vpu_dec_clr_disp_flag, the driver reaches wave5_dec_clr_disp_flag and accesses VPU memory-mapped I/O registers. If the runtime power management subsystem has placed the device in suspend after the autosuspend timeout, the underlying clocks and power domains are gated. Accessing the VPU registers in this state on ARM64 generates an Asynchronous SError Interrupt, which the kernel cannot recover from and escalates to a panic via arm64_serror_panic.
The call chain captured in the panic trace flows from __arm64_sys_ioctl through v4l2_ioctl, vb2_qbuf, __enqueue_in_driver, and into the wave5 driver, demonstrating that ordinary V4L2 ioctl traffic from an unprivileged decoder client is sufficient to trigger the fault.
Root Cause
The driver fails to ensure the device is runtime-resumed before issuing register accesses in the display-flag clear path. Autosuspend timing creates a race between userspace queueing buffers and the kernel suspending the VPU, leading to register access on a powered-down device.
Attack Vector
A local user with permission to open the V4L2 decoder node can issue buffer queue ioctls that race with autosuspend. No authentication beyond access to /dev/video* is required. The result is a denial of service through kernel panic. See the upstream fixes referenced in the Linux kernel stable tree commit 27cb12b, commit 5da5524, and commit cbb9c0d for the corrected suspend handling.
Detection Methods for CVE-2026-43247
Indicators of Compromise
- Kernel log entries containing SError Interrupt on CPU followed by Asynchronous SError Interrupt panic messages.
- Stack traces referencing wave5_dec_clr_disp_flag, wave5_vpu_dec_clr_disp_flag, or wave5_vpu_dec_buf_queue immediately before the panic.
- Unexpected reboots correlated with active V4L2 decoder workloads (e.g., v4l2h265dec0 worker threads).
Detection Strategies
- Monitor /var/log/kern.log and dmesg output for SError and Kernel panic - not syncing messages tied to the wave5 module.
- Audit running kernel versions and confirm whether the wave5 module is loaded on ARM64 media platforms.
- Track crash dumps from kdump or persistent storage and inspect call traces for the wave5 symbols.
Monitoring Recommendations
- Forward kernel ring buffer events to a centralized logging or SIEM platform for alerting on SError patterns.
- Set telemetry thresholds for unexpected reboots on embedded ARM64 hosts running video decode pipelines.
- Correlate decoder process crashes with kernel panic events to identify reproducible triggers.
How to Mitigate CVE-2026-43247
Immediate Actions Required
- Apply the upstream Linux kernel patches that resolve the wave5 suspend race; see the kernel stable commits listed in the references.
- Identify ARM64 systems running the wave5 driver and prioritize them for kernel updates.
- Restrict access to /dev/video* decoder nodes to trusted users until patches are deployed.
Patch Information
The fix is committed to the Linux kernel stable tree across three commits: 27cb12b7dc88, 5da55243fe19, and cbb9c0d50e47. Rebuild and deploy a kernel that includes these commits, then reboot affected systems to load the patched module.
Workarounds
- Disable runtime autosuspend on the wave5 device by writing to its power/control sysfs entry to keep the VPU resumed while a fix is staged.
- Unload the wave5 module on systems that do not require hardware video decoding.
- Limit concurrent V4L2 decoder sessions to reduce the likelihood of the suspend race triggering.
# Configuration example: prevent autosuspend on the wave5 VPU device
# Replace <pci-or-platform-id> with the actual device path under /sys/devices
echo on | sudo tee /sys/devices/<platform-path>/wave5/power/control
# Verify the wave5 module is loaded and inspect kernel log for SError events
lsmod | grep wave5
dmesg | grep -E 'SError|wave5|Kernel panic'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
