CVE-2026-46239 Overview
CVE-2026-46239 is a resource management vulnerability in the Linux kernel's ov5647 camera sensor I2C driver. The flaw resides in the s_ctrl function, where three control cases (AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN) return directly without invoking pm_runtime_put(). This omission causes runtime power management (PM) reference count leaks each time these controls are exercised. Over time, the imbalance prevents the device from entering low-power states and can leave the subdevice in an inconsistent runtime PM state. The issue affects systems using the Omnivision OV5647 sensor, commonly found on Raspberry Pi camera modules and other embedded Linux platforms.
Critical Impact
Repeated invocation of the affected V4L2 controls produces a runtime PM refcount imbalance that may prevent power state transitions and degrade device reliability on affected Linux media stacks.
Affected Products
- Linux kernel media: i2c: ov5647 driver
- Embedded Linux systems using the Omnivision OV5647 image sensor
- Distributions shipping the vulnerable kernel prior to the upstream fix
Discovery Timeline
- 2026-05-28 - CVE-2026-46239 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-46239
Vulnerability Analysis
The ov5647 driver implements the V4L2 control interface through the s_ctrl callback. Before processing each control, the driver calls pm_runtime_get_sync() to ensure the device is powered. The expected pattern requires a matching pm_runtime_put() call before returning. In the vulnerable code, three control branches use a bare return statement on completion. This bypasses the cleanup path that would normally release the runtime PM reference.
Each exercise of these controls increments the runtime PM usage counter without a corresponding decrement. The counter therefore monotonically increases over the lifetime of the device. Userspace applications that frequently adjust exposure or gain, such as camera tuning daemons and automated capture pipelines, accelerate the leak.
Root Cause
The root cause is missing resource cleanup along specific return paths in s_ctrl. The upstream patch converts the affected return statements to a ret = ...; break; pattern. This routes execution through the unified function exit path where pm_runtime_put() is always called. The fix restores proper reference count symmetry across all control cases.
Attack Vector
Exploitation requires local access to the V4L2 device node, typically /dev/video*. An unprivileged user with permission to open the camera device can repeatedly issue VIDIOC_S_CTRL ioctls targeting the affected controls. The vulnerability is a reliability and resource management defect rather than a memory corruption issue. There is no evidence of remote exploitation or arbitrary code execution. See the upstream commit for the corrective patch.
Detection Methods for CVE-2026-46239
Indicators of Compromise
- Persistent non-zero values in /sys/devices/.../power/runtime_usage for the ov5647 device after camera applications exit.
- Kernel log entries indicating the device fails to enter suspend or autosuspend states.
- Unexpectedly elevated power consumption on embedded platforms using the OV5647 sensor.
Detection Strategies
- Audit the running kernel version against the patched commits 6b03ecf75bda and f11ae9c04f83 to determine exposure.
- Monitor runtime PM accounting for camera I2C subdevices and flag growing usage counts that do not decrement after close().
- Inspect user-space camera pipelines that issue VIDIOC_S_CTRL for V4L2_CID_AUTOGAIN, V4L2_CID_EXPOSURE_AUTO, or V4L2_CID_ANALOGUE_GAIN.
Monitoring Recommendations
- Track kernel version inventory across embedded fleets and IoT devices using configuration management tooling.
- Alert on suspend/resume failures reported via dmesg or system journal entries from the media subsystem.
- Include media subsystem patches in routine kernel CVE triage for any platform shipping camera sensors.
How to Mitigate CVE-2026-46239
Immediate Actions Required
- Update affected systems to a Linux kernel release that includes commits 6b03ecf75bda5900b8e661eb75656f631b598bc2 and f11ae9c04f8368a3b5a0280ef595198dace1c983.
- Restrict access to /dev/video* device nodes to trusted users and processes through group membership and udev rules.
- Rebuild and redeploy custom kernels for embedded devices that integrate the ov5647 driver.
Patch Information
The fix is available in the upstream Linux kernel stable tree. Refer to the first kernel commit and the second kernel commit for the corrective changes. The patch rewrites the AUTOGAIN, EXPOSURE_AUTO, and ANALOGUE_GAIN cases in ov5647_s_ctrl to fall through the common exit path that releases the runtime PM reference.
Workarounds
- Avoid frequent toggling of auto-gain, auto-exposure, and analogue-gain controls on unpatched systems.
- Reload the ov5647 kernel module periodically to reset accumulated runtime PM state where operationally acceptable.
- Limit camera access to applications that do not exercise the affected V4L2 control identifiers until the patch is applied.
# Verify kernel version and applied patches
uname -r
git -C /usr/src/linux log --oneline | grep -E '6b03ecf75bda|f11ae9c04f83'
# Restrict access to V4L2 device nodes
sudo chgrp video /dev/video0
sudo chmod 0660 /dev/video0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
