PatchSiren cyber security CVE debrief
CVE-2026-43290 Git CVE debrief
CVE-2026-43290 is a Linux kernel media/uvcvideo bug in the start_streaming() failure path. According to the CVE description, queued buffers were not returned when streaming failed to start because uvc_pm_get() returned an error, and the issue may surface as a vb2_start_streaming warning during webcam/video-capture workloads. The record was published on 2026-05-08 and modified on 2026-05-11. NVD assigns a HIGH CVSS 3.1 score (7.8) with a local attack vector, which makes this primarily a kernel-stability and cleanup issue for systems using the affected USB video path.
- Vendor
- Git
- Product
- Unknown
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-08
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-05-08
- Advisory updated
- 2026-05-11
Who should care
Linux kernel and distro maintainers, endpoint administrators, and teams managing systems that use USB webcams or other uvcvideo-backed capture devices, especially where local users can start camera streams.
Technical summary
The vulnerability is in the Linux kernel's uvcvideo driver when start_streaming() fails after a uvc_pm_get() error. In that failure path, queued buffers were not returned to the caller, leaving the videobuf2 streaming setup in an invalid state and potentially triggering a kernel warning in vb2_start_streaming(). The supplied CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, so the published severity is HIGH, but the narrative evidence specifically describes a failed cleanup path and warning behavior rather than exploitation details.
Defensive priority
Medium-High
Recommended defensive actions
- Apply the kernel fix referenced by the linked stable kernel commits and ensure your distribution has backported the change.
- Prioritize patching on systems with active USB camera/video-capture use, especially endpoints or kiosks where local users can access /dev/video* devices.
- Monitor kernel logs for warnings involving vb2_start_streaming, uvcvideo, or unexpected USB disconnect and host-controller reset events.
- If patching is delayed, restrict local access to video devices and reduce unnecessary exposure of USB camera functionality on shared systems.
- Verify the running kernel version against your vendor's advisory or backport status before assuming the issue is resolved.
Evidence notes
This debrief is based only on the supplied NVD/CVE corpus and the official kernel stable references listed there. The CVE was published on 2026-05-08 and modified on 2026-05-11. NVD's supplied vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The description explicitly identifies the fix area as 'media: uvcvideo: Return queued buffers on start_streaming() failure' and says queued buffers should be returned when uvc_pm_get() fails. No KEV entry is listed in the supplied enrichment.
Official resources
-
CVE-2026-43290 CVE record
CVE.org
-
CVE-2026-43290 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
-
Source reference
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Publicly disclosed in the CVE record on 2026-05-08; the supplied record was last modified on 2026-05-11.