CVE-2026-46222 Linux CVE debrief

Who should care

Organizations running Linux systems on Rockchip SoCs with camera interfaces; embedded systems manufacturers using rkcif driver; security teams monitoring kernel driver stability

Technical summary

The Rockchip Camera Interface (rkcif) driver in the Linux kernel fails to validate that media pads have connected devices before enabling streams. The pads lack the MUST_CONNECT flag check, permitting stream configuration on unconnected interfaces. When rkcif_interface_enable_streams() executes, it dereferences a null pointer (offset 0x20), causing a kernel oops. The crash occurs through the standard V4L2 streaming path: vb2_ioctl_streamon → v4l_streamon → __video_do_ioctl → vb2_core_streamon → vb2_start_streaming → rkcif_stream_start_streaming → v4l2_subdev_enable_streams → rkcif_interface_enable_streams. The resolution adds MUST_CONNECT flag validation to prevent stream enablement on disconnected pads.

Defensive priority

medium

Recommended defensive actions

• Apply kernel patches from stable branches when available
• Verify rkcif driver loads with properly configured media topology
• Monitor kernel logs for rkcif_interface_enable_streams oops signatures
• Restrict untrusted user access to V4L2 video devices
• Review camera interface configurations for missing sensor connections

Evidence notes

Vulnerability description and resolution confirmed via NVD entry published 2026-05-28. Root cause identified as missing MUST_CONNECT flag validation in media pads. Crash signature confirmed: null pointer dereference at virtual address 0x20 in rkcif_interface_enable_streams(). Call trace provided in CVE description shows V4L2 streaming path. Fix commits referenced in source metadata.

Official resources