CVE-2026-46239
Analyzed Analyzed - Analysis Complete
Runtime PM Refcount Leak in Linux Kernel ov5647 Camera Driver

Publication date: 2026-05-28

Last updated on: 2026-06-10

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46239
EUVD
EUVD-2026-32757
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel From 7.0 (inc) to 7.0.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's media i2c driver for the ov5647 device. Specifically, three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) in the code return early without calling the function pm_runtime_put(), which leads to a runtime power management (PM) reference count leak.

The fix changes these early returns to a pattern that ensures pm_runtime_put() is always called before the function exits, preventing the reference count leak.

Impact Analysis

The impact of this vulnerability is a runtime power management reference count leak in the Linux kernel's media i2c driver for the ov5647 device. This leak can cause improper power management behavior, potentially leading to increased power consumption or resource exhaustion related to power management.

Mitigation Strategies

The vulnerability is fixed by updating the Linux kernel to a version where the runtime PM refcount leak in the ov5647 i2c driver is resolved.

Specifically, ensure your system is running a kernel version that includes the patch changing the control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) to call pm_runtime_put() properly before function exit.

Therefore, the immediate step is to apply the relevant kernel update or patch provided by your Linux distribution.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart