CVE-2026-43301 Overview
CVE-2026-43301 is an integer underflow vulnerability [CWE-191] in the Linux kernel's chips-media: wave5 video codec driver. The flaw resides in the driver's power management (PM) runtime handling. During module removal, the driver calls pm_runtime_put_sync() unconditionally, which decrements the usage counter even when autosuspend has already suspended the device. This drops the reference count from 0 to -1, triggering a runtime PM usage count underflow.
The issue produces a kernel warning at kernel/kthread.c:1430 in kthread_destroy_worker() during module unload. Exploitation requires local access with low privileges and affects availability of the kernel subsystem.
Critical Impact
Local low-privileged users can trigger a kernel runtime PM reference count underflow during module unload, causing kernel warnings and potential denial of service on systems using the wave5 video codec driver.
Affected Products
- Linux Kernel versions containing the chips-media: wave5 driver prior to the fix commits
- Systems using the Chips&Media WAVE5 series video codec (vdec driver, e.g., on 30210000.video-codec hardware)
- Linux distributions shipping the unpatched media subsystem
Discovery Timeline
- 2026-05-08 - CVE-2026-43301 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-43301
Vulnerability Analysis
The vulnerability is an integer underflow [CWE-191] in the Linux kernel wave5 media driver's removal path. The driver registers autosuspend behavior via pm_runtime_use_autosuspend() during probe. When the device idles, autosuspend transitions it to a suspended state and sets the runtime PM usage counter to 0.
During module removal, the driver invokes pm_runtime_put_sync() unconditionally. This call decrements the already-zero usage counter to -1, an invalid state for the runtime PM subsystem. The kernel detects the underflow and emits Runtime PM usage count underflow! along with a WARNING at kthread_destroy_worker+0x84/0x98.
The fix replaces pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() to correctly pair with the probe-time pm_runtime_use_autosuspend(). This allows pm_runtime_disable() to clean up reference counts regardless of the current suspend state.
Root Cause
The root cause is asymmetric pairing of PM runtime API calls between probe and remove paths. The probe path enables autosuspend, but the remove path uses pm_runtime_put_sync() instead of disabling autosuspend. When the device is already suspended at module unload, the put operation underflows the unsigned usage counter.
Attack Vector
An attacker with local low-privileged access on a system using the affected vdec video codec driver can trigger the condition by loading and unloading the kernel module while the device is in an autosuspended state. The result is a kernel warning, taint, and possible disruption of the video codec subsystem. Network exploitation is not possible.
No public proof-of-concept code is available. The vulnerability manifests through standard module lifecycle operations against the affected hardware path. See the upstream kernel commits referenced below for the patch details.
Detection Methods for CVE-2026-43301
Indicators of Compromise
- Kernel log entries containing Runtime PM usage count underflow! originating from the vdec driver (e.g., vdec 30210000.video-codec)
- WARNING traces in dmesg at kthread_destroy_worker+0x84/0x98 in kernel/kthread.c:1430
- Kernel taint flag set following unload of the wave5 media driver module
Detection Strategies
- Monitor dmesg and /var/log/kern.log for runtime PM underflow warnings tied to the wave5 codec driver
- Audit installed kernel versions against the patched commits 0bffda02317989f8d5cdc2d4462a4110b1290cf0, 3a278a55ead50db2444c8f01410c7f5a68723990, and 9cf4452e824c1e2d41c9c0b13cc8a32a0a7dec38
- Track module load and unload events for wave5 and vdec on systems exposing video codec hardware to non-root users
Monitoring Recommendations
- Forward kernel ring buffer warnings to a centralized log aggregator and alert on the underflow signature
- Inventory embedded and SoC systems shipping Chips&Media WAVE5 codec hardware to scope exposure
- Validate kernel build versions on production hosts after distribution updates to confirm the fix is present
How to Mitigate CVE-2026-43301
Immediate Actions Required
- Apply the upstream Linux kernel patches from the referenced stable tree commits to all systems running the wave5 driver
- Restrict the ability of unprivileged users to load and unload kernel modules using modules_disabled or capability controls
- Reboot affected systems after patching to ensure the fixed driver replaces the in-memory module
Patch Information
The fix is committed upstream and backported via the Linux stable tree. Reference the following patches: Kernel Git Commit 0bffda02, Kernel Git Commit 3a278a55, and Kernel Git Commit 9cf4452e. The patch replaces pm_runtime_put_sync() with pm_runtime_dont_use_autosuspend() in the driver's remove path.
Workarounds
- Avoid unloading the wave5 module on production systems until the patched kernel is deployed
- Blacklist the wave5 driver on hosts that do not require video codec acceleration to eliminate the attack surface
- Limit access to module management commands such as rmmod and modprobe -r through sudoers policy
# Prevent runtime module unloading until patched kernel is deployed
sysctl -w kernel.modules_disabled=1
# Optional: blacklist the wave5 driver where codec hardware is not needed
echo "blacklist wave5" | sudo tee /etc/modprobe.d/blacklist-wave5.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
