{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-43222", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-05-01T14:12:55.994Z", "datePublished": "2026-05-06T11:28:22.291Z", "dateUpdated": "2026-05-11T22:20:21.954Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-05-11T22:20:21.954Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: AV1: Fix tile info buffer size\n\nEach tile info is composed of: row_sb, col_sb, start_pos\nand end_pos (4 bytes each). So the total required memory\nis AV1_MAX_TILES * 16 bytes.\nUse the correct #define to allocate the buffer and avoid\nwriting tile info in non-allocated memory."}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c"], "versions": [{"version": "727a400686a2c0d25015c9e44916a59b72882f83", "lessThan": "a5b1ddbe31f49b4da78642157589970e9b60a231", "status": "affected", "versionType": "git"}, {"version": "727a400686a2c0d25015c9e44916a59b72882f83", "lessThan": "34f36f9c6114af781a5a4f7a7c99334c85b73fc7", "status": "affected", "versionType": "git"}, {"version": "727a400686a2c0d25015c9e44916a59b72882f83", "lessThan": "f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4", "status": "affected", "versionType": "git"}, {"version": "727a400686a2c0d25015c9e44916a59b72882f83", "lessThan": "74abfadd7ef5ac9f3a6111d550cc651d1457c641", "status": "affected", "versionType": "git"}, {"version": "727a400686a2c0d25015c9e44916a59b72882f83", "lessThan": "a505ca2db89ad92a8d8d27fa68ebafb12e04a679", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/media/platform/verisilicon/rockchip_vpu981_hw_av1_dec.c"], "versions": [{"version": "6.5", "status": "affected"}, {"version": "0", "lessThan": "6.5", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.128", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.75", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.16", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.6", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.6.128"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.12.75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.18.16"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "6.19.6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5", "versionEndExcluding": "7.0"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231"}, {"url": "https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7"}, {"url": "https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4"}, {"url": "https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641"}, {"url": "https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679"}], "title": "media: verisilicon: AV1: Fix tile info buffer size", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "A502C6C1-0CFB-4C9B-8A24-C76507206FA7", "versionEndExcluding": "6.6.128", "versionStartIncluding": "6.5", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCE16369-98ED-41CF-8995-DFDC10B288D2", "versionEndExcluding": "6.12.75", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "B4B8CDA9-BADF-4CF5-8B3B-702DE8EEA40B", "versionEndExcluding": "6.18.16", "versionStartIncluding": "6.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "373EEEDA-FAA1-4FB4-B6ED-DB4DD99DBE67", "versionEndExcluding": "6.19.6", "versionStartIncluding": "6.19", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: verisilicon: AV1: Fix tile info buffer size\n\nEach tile info is composed of: row_sb, col_sb, start_pos\nand end_pos (4 bytes each). So the total required memory\nis AV1_MAX_TILES * 16 bytes.\nUse the correct #define to allocate the buffer and avoid\nwriting tile info in non-allocated memory."}], "id": "CVE-2026-43222", "lastModified": "2026-05-08T21:12:57.527", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "type": "Secondary"}]}, "published": "2026-05-06T12:16:41.900", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/34f36f9c6114af781a5a4f7a7c99334c85b73fc7"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/74abfadd7ef5ac9f3a6111d550cc651d1457c641"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a505ca2db89ad92a8d8d27fa68ebafb12e04a679"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/a5b1ddbe31f49b4da78642157589970e9b60a231"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "kernel: media: verisilicon: AV1: Fix tile info buffer size", "id": "2467207", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467207"}, "csaw": false, "cwe": "CWE-131", "details": ["A flaw was found in the Linux kernel's media: verisilicon: AV1 driver. The driver incorrectly calculates the buffer size for tile information, which can lead to writing data beyond the allocated memory. This memory corruption vulnerability could result in system instability or a denial of service."], "name": "CVE-2026-43222", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-43222\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-43222\nhttps://lore.kernel.org/linux-cve-announce/2026050653-CVE-2026-43222-3676@gregkh/T"]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[727a400686a2c0d25015c9e44916a59b72882f83,a5b1ddbe31f49b4da78642157589970e9b60a231)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[727a400686a2c0d25015c9e44916a59b72882f83,34f36f9c6114af781a5a4f7a7c99334c85b73fc7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[727a400686a2c0d25015c9e44916a59b72882f83,f122f2b3ce9dbde60bf7ab0b180fe4a01f9d9bc4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[727a400686a2c0d25015c9e44916a59b72882f83,74abfadd7ef5ac9f3a6111d550cc651d1457c641)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[727a400686a2c0d25015c9e44916a59b72882f83,a505ca2db89ad92a8d8d27fa68ebafb12e04a679)"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.5"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[0,6.5)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.6.128,7.0.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.12.75,6.13.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.18.16,6.19.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[6.19.6,6.20.0)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[7.0,*]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "inferred", "scores": [{"score": 99.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Linux", "source": "cna", "vendor": "Linux"}, "product": "linux_kernel", "vendor": "linux"}], "created": "2026-05-06T15:30:06.079130+00:00", "updated": "2026-05-08T22:30:18.339478+00:00", "vendors": ["linux", "linux$PRODUCT$linux_kernel"]}