MEDIUM 5.5

CVE-2026-46222: Linux Rockchip RKCam Driver Null Pointer Dereference

A flaw exists in the Linux kernel's Rockchip RKCam Interface (rkcif) media driver where certain data connection points (pads) lack proper validation checks. When a video stream is started on a device where these pads are not correctly connected, the kernel attempts to access memory that doesn't exist, causing the system to crash. This is a local issue—only users with login access to the affected system can trigger it, typically through video application commands.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: Add missing MUST_CONNECT flag to pads The pads missed checks for connected devices which may a null dereference when the stream is enabled. Unable to handle kernel NULL pointer dereference at virtual address 0000000000000020 pc : rkcif_interface_enable_streams+0x48/0xf0 lr : rkcif_interface_enable_streams+0x44/0xf0 Call trace: rkcif_interface_enable_streams+0x48/0xf0 v4l2_subdev_enable_streams+0x26c/0x3f0 rkcif_stream_start_streaming+0x140/0x278 vb2_start_streaming+0x74/0x188 vb2_core_streamon+0xe0/0x1d8 vb2_ioctl_streamon+0x60/0xa8 v4l_streamon+0x2c/0x40 __video_do_ioctl+0x34c/0x400 video_usercopy+0x2d0/0x800 video_ioctl2+0x20/0x60 v4l2_ioctl+0x48/0x78

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46222 is a null pointer dereference vulnerability in the rkcif media subsystem (drivers/media/platform/rockchip/rkcif/). The rkcif_interface_enable_streams() function fails to validate that required media pads have connected devices before dereferencing them during stream initialization. The missing MUST_CONNECT flag on pad definitions permits invalid pipeline states where internal function calls attempt to access hardware state through null pointers. The crash occurs deep in the V4L2 subdevice abstraction when vb2_core_streamon() triggers the enable_streams path on an incompletely configured capture interface.

Business impact

Availability impact is localized to affected Rockchip SoC systems running vulnerable kernels. A local attacker or unprivileged user can reliably crash the video subsystem or entire kernel, disrupting any service relying on camera input (video conferencing, surveillance systems, embedded vision applications on Rockchip boards). Recovery requires a restart. No data corruption or privilege escalation is possible; the threat model is denial of service on dedicated video processing systems.

Affected systems

Linux kernel versions containing the vulnerable rkcif driver, primarily deployed in embedded and consumer devices using Rockchip SoCs (RK3288, RK3399, RK3568, and related variants). Typical deployments include single-board computers, embedded video appliances, automotive infotainment systems, and IoT edge devices. Desktop and server Linux distributions are largely unaffected unless explicitly running Rockchip-specific drivers.

Exploitability

Exploitability is straightforward but scoped to local attackers with user-level login capability. No special privileges, network access, or user interaction is required beyond calling standard V4L2 ioctl commands (VIDIOC_STREAMON) on a misconfigured or disconnected camera pipeline. The attack surface is limited to systems with active rkcif hardware; the flaw cannot be remotely triggered. Automated fuzzing or intentional misconfiguration of media pipelines reliably reproduces the crash within seconds.

Remediation

Apply the Linux kernel patch that adds the MUST_CONNECT flag to rkcif media pads. This enforces validation of connected devices at pipeline configuration time, preventing invalid states that lead to null dereference. The fix is a small, low-risk change to pad attribute definitions. Coordinate patching through your Linux distributor or apply directly from upstream kernel repositories once released.

Patch guidance

Monitor your Linux distributor (Debian, Ubuntu, Fedora, RHEL, etc.) or Rockchip SoC vendor for updated kernel packages addressing CVE-2026-46222. If running a custom or vendor-supplied kernel on Rockchip hardware, verify the fix is included by checking the rkcif driver source for MUST_CONNECT flags on all media pads. Rebuild and redeploy kernel updates according to your change management process. Test video streaming functionality post-patch to confirm normal operation.

Detection guidance

Enable kernel logging and monitor system logs for NULL pointer dereference messages originating from rkcif_interface_enable_streams(). Watch for repeated video subsystem crashes or STREAMON ioctl failures in userspace applications (gstreamer, ffmpeg, V4L2 tools). On production edge/embedded devices, correlate video feed outages with kernel crash signatures. Intrusion detection is not applicable; this is a local stability issue rather than a security breach indicator.

Why prioritize this

Although the CVSS score is moderate (5.5), prioritization should consider deployment context. Systems where camera input is mission-critical (surveillance, automotive, industrial vision) warrant urgent patching. General-purpose Linux desktops and servers face negligible risk unless Rockchip hardware is explicitly used. IoT and embedded Rockchip deployments should patch within standard SLA windows; the barrier to exploitation is low, but impact is contained to availability.

Risk score, explained

CVSS 3.1 score of 5.5 (MEDIUM) reflects the denial-of-service severity balanced against local-only attack vector and low privilege requirement (user-level login). The AV:L/AC:L/PR:L/UI:N profile indicates any logged-in user can trivially trigger a kernel crash. The complete absence of confidentiality and integrity impact (C:N/I:N) and availability impact limited to the affected subsystem (S:U) prevents a higher score. Real-world risk is lower on general compute systems but higher on single-purpose embedded devices.

Frequently asked questions

Can this vulnerability be exploited remotely over the network?

No. This is a local kernel issue requiring direct access to the affected system's user account and V4L2 device files. Remote network attacks are not possible.

Which Rockchip SoCs are affected?

Any Rockchip SoC with an rkcif media capture interface running a vulnerable kernel version is affected. Common platforms include RK3288, RK3399, RK3568, and RK3588. Verify your specific hardware against your kernel version and vendor advisories.

Will this crash corrupt my data or compromise system security?

No. The crash is a kernel denial of service only. There is no data corruption, privilege escalation, or security boundary bypass. Restarting the system fully recovers normal function.

What should I do if I cannot immediately patch my system?

If rkcif hardware is not in use, disable or unload the driver module. If video capture is required, segregate systems to limit exposure to trusted local users only and implement restart automation to minimize service downtime from crashes.

This analysis is based on published CVE data current as of the source date. Patch version numbers and detailed vendor advisories should be verified directly with Linux distributors and Rockchip. SEC.co makes no guarantee regarding patch availability or timelines. Organizations should validate the applicability of this vulnerability to their specific hardware, kernel versions, and deployment contexts before allocating remediation resources. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).