CVE-2026-46222: Linux Kernel Use-After-Free Vulnerability

CVE-2026-46222 Overview

CVE-2026-46222 is a null pointer dereference vulnerability in the Linux kernel's Rockchip Camera Interface (rkcif) media driver. The flaw resides in the rkcif_interface_enable_streams function, where pads are not validated for connected devices before stream enablement. When a user invokes the VIDIOC_STREAMON ioctl on a media pipeline missing a connected source device, the kernel dereferences a null pointer at virtual address 0x0000000000000020. The upstream fix adds the MUST_CONNECT flag to pads, enforcing connection checks during pipeline validation.

Critical Impact

Local users with access to the V4L2 device node can trigger a kernel null pointer dereference, resulting in denial of service on affected Rockchip-based Linux systems.

Affected Products

• Linux kernel versions containing the Rockchip rkcif media driver prior to the upstream fix
• Rockchip SoC platforms using the Camera Interface (rkcif) subsystem
• Distributions shipping unpatched stable kernel trees

Discovery Timeline

• 2026-05-28 - CVE-2026-46222 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-46222

Vulnerability Analysis

The vulnerability exists in the Rockchip Camera Interface (rkcif) driver under drivers/media/platform/rockchip/. The media subsystem uses pads to define connection points between subdevices in a capture pipeline. When the driver registers its pads, it omits the MEDIA_PAD_FL_MUST_CONNECT flag, which instructs the V4L2 media framework to validate that every required pad has an active link before enabling streaming.

Without this flag, the pipeline validation logic permits stream activation even when no upstream sensor or subdevice is connected. The rkcif_interface_enable_streams function then attempts to access a subdevice structure through a null pointer, faulting at offset 0x20 within the expected structure.

The call trace originates from userspace through v4l2_ioctl → video_ioctl2 → vb2_ioctl_streamon → vb2_core_streamon → vb2_start_streaming → rkcif_stream_start_streaming, reaching the vulnerable function via v4l2_subdev_enable_streams.

Root Cause

The root cause is missing input validation on media pad connectivity [Null Pointer Dereference]. The driver assumes a connected subdevice will exist at stream-on time without enforcing the framework-level check that prevents this scenario. The upstream patch adds the MUST_CONNECT flag to the affected pads, causing the media framework to reject VIDIOC_STREAMON calls when no subdevice is linked.

Attack Vector

A local attacker with read or write access to the /dev/video* node corresponding to the rkcif interface can trigger the fault. The attacker opens the device, configures the pipeline without connecting a source subdevice, and issues the VIDIOC_STREAMON ioctl. The kernel then dereferences a null pointer, producing an oops and terminating the offending task. Repeated triggering can destabilize the system.

No exploitation code is published. Refer to the upstream commits for technical details: Kernel Git Commit 31814264 and Kernel Git Commit 8e3c7512.

Detection Methods for CVE-2026-46222

Indicators of Compromise

• Kernel oops messages referencing Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020
• Call traces containing rkcif_interface_enable_streams followed by v4l2_subdev_enable_streams
• Unexpected process terminations after VIDIOC_STREAMON ioctl calls on /dev/video* nodes tied to rkcif

Detection Strategies

• Parse dmesg and /var/log/kern.log for null pointer dereference traces matching the rkcif call stack
• Monitor audit logs for processes invoking ioctls on rkcif-backed video device nodes from unprivileged contexts
• Compare running kernel build identifiers against the patched stable kernel commits to confirm exposure

Monitoring Recommendations

• Forward kernel ring buffer events to a centralized log pipeline and alert on rkcif_interface_enable_streams strings
• Track access patterns to /dev/video* device nodes on Rockchip-based fleets and flag non-camera processes
• Inventory deployed kernel versions across embedded and IoT devices to identify unpatched rkcif drivers

How to Mitigate CVE-2026-46222

Immediate Actions Required

• Apply the upstream stable kernel patches referenced in commits 31814264 and 8e3c7512 and rebuild affected kernels
• Restrict permissions on /dev/video* nodes so only trusted users and processes in the video group can open them
• Audit Rockchip-based devices, including embedded boards and SBCs, for the rkcif driver in active use

Patch Information

The fix adds the MEDIA_PAD_FL_MUST_CONNECT flag to the affected pads in the rkcif driver. After patching, the V4L2 media framework refuses to enable streaming on pipelines lacking a connected subdevice, preventing the null dereference. Apply the patches from Kernel Git Commit 31814264 and Kernel Git Commit 8e3c7512, or update to a stable kernel release that includes these commits.

Workarounds

• Unload the rkcif kernel module on systems that do not require camera capture functionality
• Tighten udev rules to remove read and write access to rkcif video nodes for non-administrative accounts
• Disable Rockchip camera subsystem in kernel configuration (CONFIG_VIDEO_ROCKCHIP_CIF=n) when rebuilding from source