CVE-2026-43316
Bounds Check Fix in Linux Kernel solo6x10 Driver
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability relates to a potential out of bounds chip_id check in the Linux kernel's media: solo6x10 driver. It involves a condition where a signed integer shift operation could lead to undefined behavior due to shifting beyond 32 bits. The issue was identified by Clang's UBSAN instrumentation and resolved by adding explicit bounds checking and using unsigned values for shifts. The impact could be related to incorrect behavior or instability in the affected driver if the issue was exploited or triggered.
Can you explain this vulnerability to me?
This vulnerability is related to the Linux kernel's media component, specifically the solo6x10 driver. It involves a potential out-of-bounds issue with the chip_id value.
The problem arises because Clang, when compiled with the CONFIG_UBSAN_SHIFT=y option, detects a situation where a signed integer (the literal "1" as an int) could be shifted beyond 32 bits, which is undefined behavior. Due to this, Clang's instrumentation causes the function to be partially elided (removed) because it treats the second call to is_tw286x() as undefined behavior.
The fix involves adding an explicit check for the maximum chip ID to ensure the shift operation stays within bounds, and changing the shift value to an unsigned type. This prevents the undefined behavior and removes the need for runtime instrumentation.