CVE-2026-43293
Received Received - Intake
Race Condition in Linux Kernel Wave5 Driver Polling Mode

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: chips-media: wave5: Fix kthread worker destruction in polling mode Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty. In polling mode, the driver uses hrtimer to periodically trigger wave5_vpu_timer_callback() which queues work via kthread_queue_work(). The kthread_destroy_worker() function validates that both work queues are empty with WARN_ON(!list_empty(&worker->work_list)) and WARN_ON(!list_empty(&worker->delayed_work_list)). The original code called kthread_destroy_worker() before hrtimer_cancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARN_ON. This causes the following warning on every module unload in polling mode: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthread_destroy_worker+0x84/0x98 Modules linked in: wave5(-) rpmsg_ctrl rpmsg_char ... Call trace: kthread_destroy_worker+0x84/0x98 wave5_vpu_remove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-05-09
AI Q&A
2026-05-08
EPSS Evaluated
N/A
NVD
CVE-2026-43293
EUVD
EUVD-2026-28563
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed by correcting the cleanup order in polling mode to cancel the hrtimer before destroying the kthread worker. To mitigate this vulnerability immediately, you should update the Linux kernel to a version that includes this fix.

Until the update is applied, avoid unloading the affected module (wave5) in polling mode to prevent the kernel warnings and potential instability caused by the race condition.


Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's chips-media wave5 driver when operating in polling mode. The issue is related to the improper cleanup order during module removal, where the kernel thread worker is destroyed before canceling a high-resolution timer (hrtimer). This creates a race condition where the timer can still fire and queue new work while the worker is being destroyed, causing kernel warnings.

Specifically, the driver uses an hrtimer to periodically trigger a callback that queues work via kthread_queue_work(). The function kthread_destroy_worker() expects both work queues to be empty, but because the timer is not canceled first, new work can be added during destruction, triggering warnings.


How can this vulnerability impact me? :

This vulnerability can cause kernel warnings during module removal in polling mode, which may lead to instability or unexpected behavior in the system. While it does not describe a direct security breach, the race condition and warnings could potentially affect system reliability or complicate debugging and maintenance.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing kernel warnings during module unload in polling mode. Specifically, the system logs will show warnings related to kthread_destroy_worker and work queue lists not being empty.

You can check for these warnings by examining the kernel log using commands such as:

  • dmesg | grep -i 'kthread_destroy_worker'
  • journalctl -k | grep -i 'kthread_destroy_worker'
  • dmesg | grep -i 'WARNING: CPU'

These commands will help identify the presence of the specific WARN_ON messages triggered by the race condition during module removal.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart