CVE-2026-46235 Overview
CVE-2026-46235 is a Linux kernel vulnerability in the saa7164 media driver. The flaw exists in the saa7164_dev_setup() function, which fails to validate the return values of ioremap() calls for BAR0 and BAR2 PCI memory regions. When ioremap() returns NULL on failure, the driver continues execution without releasing allocated PCI memory regions or removing the device from the global list. This creates the conditions for a null pointer dereference and leaks kernel resources on memory mapping failures.
Critical Impact
Failed ioremap() calls in the saa7164 driver lead to null pointer dereferences and resource leaks within the Linux kernel, potentially causing kernel crashes and denial of service on affected systems.
Affected Products
- Linux Kernel (mainline)
- Linux Kernel stable branches incorporating the saa7164 media driver
- Distributions shipping kernels with the unpatched drivers/media/pci/saa7164/saa7164-core.c
Discovery Timeline
- 2026-05-28 - CVE-2026-46235 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46235
Vulnerability Analysis
The vulnerability resides in the saa7164_dev_setup() function within the Linux kernel's saa7164 PCI media capture driver. During device initialization, the driver maps PCI Base Address Registers (BAR0 and BAR2) into kernel virtual address space using ioremap(). The original code did not verify that ioremap() succeeded before using the returned pointers.
When physical memory mapping fails, ioremap() returns NULL. Subsequent driver code dereferences these NULL pointers when accessing device registers, triggering a kernel null pointer dereference [CWE-476]. Beyond the immediate crash, the driver also fails to unwind earlier initialization steps. Allocated PCI memory regions remain reserved, the device stays in the global device list, and the device counter is not decremented.
The patch resolves both issues by adding explicit NULL checks after each ioremap() call. On failure, the fix releases PCI memory regions via the appropriate cleanup path, removes the device from the global list, decrements the device count, and returns -ENODEV to the caller.
Root Cause
The root cause is missing return value validation for kernel memory mapping functions. The saa7164_dev_setup() routine assumed ioremap() would always succeed and proceeded to use the returned virtual addresses without checking for NULL. This is a classic missing error check pattern combined with an incomplete cleanup path on the error branch.
Attack Vector
Triggering this flaw requires conditions that cause ioremap() to fail during saa7164 driver probe. Such conditions include resource exhaustion in the kernel virtual address space, conflicting memory mappings, or hardware fault conditions on the PCI bus. Local attackers with the ability to load drivers or attach affected PCI devices may be able to provoke the failure path, resulting in kernel instability or denial of service. The flaw is not reachable through ordinary unprivileged remote network operations.
The vulnerability manifests in the device initialization path of the saa7164 media driver. Refer to the upstream commits referenced below for the exact code changes:
- Linux Kernel Patch 3ce8f3057
- Linux Kernel Patch 6047dc542
- Linux Kernel Patch 6c22a6d8e
- Linux Kernel Patch a9b83f46e
- Linux Kernel Patch d51c60a49
Detection Methods for CVE-2026-46235
Indicators of Compromise
- Kernel oops or panic logs referencing saa7164_dev_setup or null pointer dereferences inside the saa7164 module.
- dmesg entries showing failed PCI device probe for saa7164-class capture cards without proper cleanup messages.
- Repeated device count or PCI region allocation anomalies during driver load attempts.
Detection Strategies
- Inventory running kernels to identify versions that have not received the patches referenced in the upstream commit list.
- Audit systems with saa7164-based capture hardware to confirm whether the loaded driver corresponds to a patched build.
- Correlate kernel crash telemetry against module names in the call trace to identify saa7164-related faults.
Monitoring Recommendations
- Forward dmesg and /var/log/kern.log to a centralized log store and alert on saa7164 module load failures or kernel oops events.
- Monitor system reboots and kernel crash dumps on hosts equipped with affected PCI media capture cards.
- Track kernel package versions across the Linux fleet and flag hosts running pre-patch builds.
How to Mitigate CVE-2026-46235
Immediate Actions Required
- Apply the latest stable kernel update from your Linux distribution that incorporates the upstream saa7164 ioremap return check patches.
- On systems without saa7164 hardware, blacklist the saa7164 module to remove the vulnerable code from the active kernel surface.
- Restrict physical and administrative access to systems with saa7164-class PCI capture cards until patched.
Patch Information
The fix is upstreamed in the Linux kernel via multiple stable backports. Reference commits include 3ce8f3057, 6047dc542, 6c22a6d8e, a9b83f46e, and d51c60a49. Update to the kernel version provided by your distribution vendor that incorporates these commits in drivers/media/pci/saa7164/saa7164-core.c.
Workarounds
- Blacklist the saa7164 kernel module on hosts that do not require the affected capture hardware.
- Physically remove or disable saa7164-based PCI cards from production servers until patched kernels are deployed.
- Limit driver load permissions to trusted administrators to reduce the chance of triggering the vulnerable initialization path.
# Blacklist the saa7164 driver to prevent loading the vulnerable module
echo "blacklist saa7164" | sudo tee /etc/modprobe.d/blacklist-saa7164.conf
sudo depmod -a
sudo update-initramfs -u
# Verify the module is not currently loaded
lsmod | grep saa7164
# Confirm installed kernel version after applying distro update
uname -r
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
