CVE-2026-43300 Overview
CVE-2026-43300 is a NULL pointer dereference vulnerability in the Linux kernel's Direct Rendering Manager (DRM) panel driver. The flaw resides in the jdi_panel_dsi_remove() function within the JDI MIPI DSI panel driver. The function explicitly checks whether the jdi pointer is NULL but fails to return early, allowing execution to proceed into jdi_panel_disable(), which unconditionally dereferences the same pointer. The defect is tracked under CWE-476: NULL Pointer Dereference and affects the linux_kernel package maintained by the upstream Linux project.
Critical Impact
A local user with sufficient privileges to trigger panel removal can cause a kernel NULL pointer dereference, resulting in a kernel oops and denial of service on the affected system.
Affected Products
- Linux Kernel (upstream, multiple versions prior to the patched commits)
- Distributions shipping the drm/panel JDI MIPI DSI driver
- Embedded and mobile Linux systems using JDI display panels over MIPI DSI
Discovery Timeline
- 2026-05-08 - CVE-2026-43300 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43300
Vulnerability Analysis
The vulnerability exists in the jdi_panel_dsi_remove() function in the Linux kernel drm/panel subsystem. The function performs a check on the jdi pointer with if (!jdi) and conditionally calls mipi_dsi_detach(dsi). However, the function does not return after this check. Execution continues into a call to jdi_panel_disable(&jdi->base), which dereferences jdi to obtain the base member.
Inside jdi_panel_disable(), the kernel invokes to_panel_jdi(panel) to recover the jdi_panel structure and then accesses jdi->backlight through backlight_disable(). Both operations dereference a pointer that the caller already identified as potentially NULL. Triggering the removal path with jdi == NULL produces a kernel oops.
Root Cause
The root cause is a missing early return after a NULL check. The author recognized that jdi could be NULL but used the conditional only to guard a single call site instead of aborting the entire teardown sequence. This is a classic [CWE-476] defect: control flow following a NULL guard treats the guarded pointer as valid.
Attack Vector
The attack vector is local. An attacker needs the ability to trigger the driver's remove path, which typically requires loaded kernel modules tied to the JDI panel device and privileges to influence device removal or module unloading. Successful exploitation crashes the kernel and causes a denial of service. Confidentiality and integrity are not directly impacted.
No public proof-of-concept exists, the issue is not listed in CISA KEV, and no in-the-wild exploitation has been reported. The fix is a defensive early return when jdi is NULL, preventing any further dereference in the cleanup path.
Detection Methods for CVE-2026-43300
Indicators of Compromise
- Kernel oops or panic logs referencing jdi_panel_disable, jdi_panel_dsi_remove, or backlight_disable in dmesg or /var/log/kern.log
- Unexpected system reboots or hangs on devices using JDI MIPI DSI panels following module unload or device removal events
- BUG: kernel NULL pointer dereference entries with call traces pointing to drm/panel subsystem symbols
Detection Strategies
- Audit running kernel versions across Linux fleet inventories and compare against the patched commits 2f5427d8, 83ce0085, 95eed73b, and ec2f37bb
- Monitor kernel crash dumps and kdump artifacts for stack traces involving jdi_panel_* symbols
- Track module load and unload events for panel-jdi-lt070me05000 or similar JDI panel drivers via auditd rules
Monitoring Recommendations
- Forward kernel logs to a centralized logging or SIEM platform and alert on NULL pointer dereference strings combined with DRM panel symbols
- Track unscheduled reboots on embedded Linux endpoints that ship JDI display hardware
- Correlate device removal events with subsequent kernel crash signatures to identify exploitation attempts
How to Mitigate CVE-2026-43300
Immediate Actions Required
- Apply the upstream Linux kernel patches referenced by commits 2f5427d8726b, 83ce0085fabf, 95eed73b8711, and ec2f37bbb733 from kernel.org stable tree
- Update to the distribution-provided kernel package that incorporates the fix for the drm/panel JDI driver
- Restrict the ability to load and unload kernel modules to privileged administrative accounts only
Patch Information
The Linux kernel maintainers resolved the issue by adding an early return in jdi_panel_dsi_remove() when jdi is NULL, preventing the subsequent jdi_panel_disable() call from dereferencing a NULL pointer. Backports are available across multiple stable branches via the Kernel Git Commit 2f5427d, Kernel Git Commit 83ce0085, Kernel Git Commit 95eed73b, and Kernel Git Commit ec2f37bb.
Workarounds
- Disable or blacklist the JDI MIPI DSI panel driver on systems that do not require it via /etc/modprobe.d/ configuration
- Limit local user access and enforce least privilege to reduce the population of accounts capable of triggering driver remove paths
- Enable kernel lockdown mode where supported to restrict module manipulation by privileged but untrusted processes
# Blacklist the JDI panel driver if unused on the system
echo "blacklist panel_jdi_lt070me05000" | sudo tee /etc/modprobe.d/blacklist-jdi-panel.conf
sudo update-initramfs -u
# Verify running kernel version against patched commits
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
