CVE-2026-43297 Overview
CVE-2026-43297 is a null pointer dereference vulnerability in the Linux kernel's Rockchip Raster Graphic Acceleration (RGA) media driver. The flaw resides in the rga_buf_init() function, which fails to validate the return value of rga_get_frame(). When rga_get_frame() returns ERR_PTR(-EINVAL) due to an unsupported or invalid buffer type, the kernel unconditionally dereferences the invalid pointer when accessing f->size. A local attacker with low privileges can trigger this condition to cause a kernel crash and denial of service. The issue is classified under [CWE-476] Null Pointer Dereference.
Critical Impact
Local attackers can crash the Linux kernel by submitting invalid buffer types to the Rockchip RGA driver, resulting in a system-wide denial of service.
Affected Products
- Linux Kernel (multiple stable branches prior to fix commits)
- Systems using the rockchip-rga media driver on Rockchip SoCs
- Linux distributions shipping vulnerable kernel versions
Discovery Timeline
- 2026-05-08 - CVE-2026-43297 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43297
Vulnerability Analysis
The vulnerability exists in the Rockchip RGA video driver located under drivers/media/platform/rockchip/rga/. The rga_buf_init() callback is invoked during videobuf2 buffer initialization for RGA capture or output queues. Inside this callback, the driver calls rga_get_frame() to retrieve the frame configuration associated with the buffer type.
The helper function rga_get_frame() can return ERR_PTR(-EINVAL) when the supplied buffer type does not match a supported queue type. The original implementation of rga_buf_init() does not validate this return value with IS_ERR() before dereferencing the returned struct rga_frame pointer to read f->size. Dereferencing an ERR_PTR encoded value triggers an invalid memory access in kernel context.
The fix introduces proper IS_ERR() checking and propagates the error code back to the caller, preventing the unsafe dereference. The corrective patches were committed to the stable kernel tree under hashes 1af2853b, 5da29ade, 81f8e0e6, and aa22221c.
Root Cause
The root cause is missing return value validation. Kernel APIs that may return ERR_PTR() encoded values require explicit IS_ERR() checks before pointer dereference. The omission of this check in rga_buf_init() violates kernel coding conventions for error-pointer handling.
Attack Vector
Exploitation requires local access with permission to open the RGA device node, typically /dev/video*. An attacker submits a V4L2 buffer with an unsupported or malformed buffer type through standard ioctl interfaces. When the kernel invokes rga_buf_init(), the invalid pointer dereference causes a kernel oops and renders the system unusable until reboot.
The vulnerability affects availability only. It does not provide confidentiality or integrity impact, and there is no indication that exploitation enables privilege escalation or arbitrary code execution.
Detection Methods for CVE-2026-43297
Indicators of Compromise
- Kernel oops or panic messages referencing rga_buf_init or rga_get_frame in dmesg or /var/log/kern.log
- Unexpected crashes of processes accessing /dev/video* device nodes on Rockchip-based hardware
- Repeated V4L2 ioctl failures preceding kernel instability
Detection Strategies
- Inventory running kernel versions across Linux fleet and compare against the patched commits 1af2853b, 5da29ade, 81f8e0e6, and aa22221c
- Monitor kernel ring buffer for BUG: or Unable to handle kernel paging request entries originating from the rockchip RGA module
- Audit which user accounts or containers have read/write access to /dev/video* device files on affected hardware
Monitoring Recommendations
- Forward kernel logs to a centralized SIEM and alert on kernel oops events referencing media drivers
- Track unexpected V4L2 device crashes and correlate with user activity to identify potential abuse
- Enable kernel crash dump collection (kdump) on Rockchip-based systems to support post-incident analysis
How to Mitigate CVE-2026-43297
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 1af2853b, 5da29ade, 81f8e0e6, and aa22221c from git.kernel.org
- Update to a stable kernel release that includes the fix for the Rockchip RGA driver
- Restrict access to /dev/video* device nodes on Rockchip platforms to trusted users only
Patch Information
The Linux kernel maintainers committed the fix to multiple stable branches. The patch adds an IS_ERR() check on the result of rga_get_frame() and returns the encoded error code instead of dereferencing the invalid pointer. Reference the following commits: Kernel Commit 1af2853, Kernel Commit 5da29ad, Kernel Commit 81f8e0e, and Kernel Commit aa22221.
Workarounds
- Unload the rockchip-rga kernel module on systems where hardware acceleration is not required using modprobe -r rockchip-rga
- Tighten permissions on /dev/video* so only privileged service accounts can issue V4L2 ioctls
- Use udev rules or container security policies to block unprivileged workloads from accessing the RGA device
# Blacklist the rockchip-rga module if RGA acceleration is unused
echo "blacklist rockchip-rga" | sudo tee /etc/modprobe.d/blacklist-rockchip-rga.conf
sudo update-initramfs -u
# Restrict /dev/video device access to the video group only
sudo chown root:video /dev/video*
sudo chmod 660 /dev/video*
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
