CVE-2026-43290
Received Received - Intake
UVC Video Buffer Leak in Linux Kernel

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Return queued buffers on start_streaming() failure Return buffers if streaming fails to start due to uvc_pm_get() error. This bug may be responsible for a warning I got running while :; do yavta -c3 /dev/video0; done on an xHCI controller which failed under this workload. I had no luck reproducing this warning again to confirm. xhci_hcd 0000:09:00.0: HC died; cleaning up usb 13-2: USB disconnect, device number 2 WARNING: CPU: 2 PID: 29386 at drivers/media/common/videobuf2/videobuf2-core.c:1803 vb2_start_streaming+0xac/0x120
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-43290
EUVD
EUVD-2026-28560
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is in the Linux kernel's media subsystem, specifically in the uvcvideo driver. It involves a failure to properly return queued buffers when the start_streaming() function fails due to an error in uvc_pm_get(). This can cause warnings and issues related to USB video devices, particularly under workloads involving repeated streaming attempts.

Impact Analysis

If this vulnerability occurs, it may cause warnings and instability when using USB video devices, such as cameras, especially under heavy or repeated streaming workloads. It could lead to device disconnects or failures in video streaming operations, potentially disrupting applications relying on video input.

Detection Guidance

This vulnerability relates to the Linux kernel's media subsystem, specifically the uvcvideo driver handling video streaming buffers. Detection may involve monitoring system logs for warnings related to video buffer streaming failures.

  • Check kernel logs for warnings similar to: "WARNING: CPU: ... vb2_start_streaming" which indicate streaming start failures.
  • Use commands like `dmesg | grep vb2_start_streaming` or `journalctl -k | grep vb2_start_streaming` to find relevant kernel warnings.
  • Run a workload similar to `while :; do yavta -c3 /dev/video0; done` to attempt to reproduce the issue and observe any errors or warnings.
Mitigation Strategies

The vulnerability has been resolved by returning queued buffers on start_streaming() failure in the uvcvideo driver. Immediate mitigation involves updating the Linux kernel to a version that includes this fix.

  • Update your Linux kernel to the latest version where this issue is fixed.
  • Monitor system logs for related warnings and avoid workloads that trigger the issue until the update is applied.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart