CVE-2026-46235: Linux Kernel saa7164 Driver Null Pointer Dereference DoS
The Linux kernel's saa7164 media driver failed to properly validate whether memory mapping operations succeeded before using the results. When the kernel tries to map I/O memory regions for certain hardware (specifically PCI base address registers 0 and 2), it could receive a null pointer if the operation failed. The driver would then attempt to use these null pointers, causing a system crash. This patch adds defensive checks: if memory mapping fails, the driver now properly cleans up any partially allocated resources and safely reports an error instead of proceeding with unusable pointers.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-476
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: media: saa7164: add ioremap return checks and cleanups Add checks for ioremap return values in saa7164_dev_setup(). If ioremap for BAR0 or BAR2 fails, release the already allocated PCI memory regions, remove the device from the global list, decrement the device count, and return -ENODEV. This prevents potential null pointer dereferences and ensures proper cleanup on memory mapping failures.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46235 addresses a null pointer dereference vulnerability in the saa7164 SAA7164 media bridge driver. The vulnerability stems from missing validation of ioremap() return values in the saa7164_dev_setup() function. When ioremap() fails to map BAR0 or BAR2 memory regions—a condition that can occur under memory pressure or hardware initialization issues—the driver proceeds without checking for NULL, leading to subsequent pointer dereferences. The fix implements proper error handling: on ioremap failure, the code releases previously allocated PCI memory regions (via pci_release_regions()), removes the device from the kernel's global device list, decrements the device counter, and returns -ENODEV to signal initialization failure to the kernel.
Business impact
This vulnerability primarily affects systems running the Linux kernel with the saa7164 driver loaded, typically in broadcast/media capture appliances or specialized video digitization hardware. The impact manifests as denial of service through kernel panic when the driver initialization path encounters memory mapping failures. For organizations deploying such hardware (particularly in broadcast monitoring, security video ingest, or media production environments), an affected system would become unavailable until rebooted. Recovery requires manual intervention and reboot cycles, disrupting continuous monitoring or capture workflows. The vulnerability does not enable privilege escalation or data exfiltration; the impact is limited to availability.
Affected systems
The Linux kernel (all versions prior to the fix) is affected, specifically systems with the saa7164 SAA7164 media bridge driver compiled in or loaded as a module. The driver is used to manage SAA7164-based video capture cards and similar media hardware. This includes dedicated media ingest systems, broadcast monitoring stations, and specialized video acquisition appliances that rely on this hardware. Desktop and server systems without SAA7164 hardware or with the driver disabled are not vulnerable, as the vulnerable code only executes during driver initialization for matching hardware.
Exploitability
This vulnerability requires local access to trigger—specifically, a local authenticated user must cause or allow the driver to initialize or reinitialize (via hotplug insertion of the hardware, driver module load, or system boot) during conditions where memory mapping fails. A remote attacker cannot trigger this directly. However, the underlying condition (ioremap failure) can occur naturally under memory pressure, making this an unreliable but not impossible attack vector in shared or multi-tenant environments. The CVSS score of 5.5 reflects the local access requirement, low attack complexity, and high availability impact. Exploitation does not require user interaction or special privileges beyond local system access.
Remediation
Apply the Linux kernel patch that adds ioremap return value validation to saa7164_dev_setup(). The patch ensures that if ioremap() returns NULL for either BAR0 or BAR2, the driver performs safe cleanup: releasing PCI regions, removing the device from kernel lists, and returning an error. Verify the patch against the official Linux kernel repository or your distribution's security advisory to confirm the exact version containing the fix. Organizations should also assess whether the saa7164 driver is necessary for their deployments and consider disabling it via kernel configuration or module blacklisting if the hardware is not in use.
Patch guidance
Monitor your Linux distribution's security advisory channels for kernel updates addressing CVE-2026-46235. The fix will be included in a patched kernel version; consult your vendor (Red Hat, Canonical, SUSE, etc.) for specific version numbers. To verify you have the fix, examine the kernel source or use `journalctl -u kernel` or dmesg to confirm the saa7164 driver initializes successfully. After patching, no configuration changes are required unless you choose to disable the driver entirely via kernel parameters (e.g., adding `saa7164.enabled=0` or blacklisting the module if unused). Test the patch in a non-production environment first, particularly if your systems rely on SAA7164 hardware for continuous capture.
Detection guidance
Monitor kernel logs (dmesg, journalctl, /var/log/kernel.log) for error messages from saa7164 during boot or hotplug events. Watch for kernel panics or oops messages mentioning saa7164 or ioremap failures. If your monitoring system supports it, track failed driver initialization events. Systems with SAA7164 hardware should establish baseline logs of successful driver initialization; deviations may indicate the vulnerability being triggered or the driver encountering initialization issues. Check whether saa7164 is actually loaded via `lsmod | grep saa7164` and `dmesg | grep saa7164`. If the driver is loaded but no hardware is present, consider unloading it to reduce attack surface.
Why prioritize this
Although this is a MEDIUM-severity vulnerability (CVSS 5.5) limited to local denial of service, it merits timely patching because: (1) many organizations running specialized media or broadcast hardware may not have systematic kernel patching cadences; (2) the failure mode (kernel panic) is severe even if not exploitable remotely; (3) the fix is straightforward and carries low regression risk; (4) the vulnerability does not require privilege escalation, meaning any local user in multi-tenant environments could trigger it. Prioritize this for organizations with confirmed SAA7164 hardware deployments or those running general-purpose kernels with the driver enabled.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects: Attack Vector (Local) — requires local system access; Attack Complexity (Low) — the failure mode (memory mapping) can occur without special setup; Privileges Required (Low) — any local user can cause hardware initialization attempts; User Interaction (None); Scope (Unchanged); and Confidentiality/Integrity/Availability (No/No/High — availability is severely impacted via denial of service). The score appropriately captures that this is a serious availability risk for affected systems but does not enable remote exploitation or privilege elevation. Organizations handling critical continuous capture workflows should treat this as higher priority than the base CVSS suggests.
Frequently asked questions
Does this vulnerability affect my Linux system?
Only if you have SAA7164-based video capture hardware installed and the saa7164 driver is loaded or compiled into your kernel. Check with `lsmod | grep saa7164` or examine your kernel configuration. Most general-purpose desktop and server systems do not use this driver unless they are dedicated media or broadcast systems.
Can this be exploited remotely?
No. The vulnerability requires local system access and the ability to trigger driver initialization (e.g., via hotplug or module load). Remote attackers cannot trigger this vulnerability directly. It is a local denial-of-service risk.
What happens if I leave this unpatched?
If the driver encounters memory mapping failures during initialization, the unpatched kernel will crash (kernel panic) rather than gracefully handling the error. This causes system downtime and manual reboot. The patch prevents the crash by implementing proper error handling and safe cleanup.
Do I need to change any configuration after patching?
No configuration changes are required. The patch is transparent. However, if you do not use SAA7164 hardware, you may optionally disable the driver entirely via kernel boot parameters or module blacklisting to reduce kernel attack surface.
This analysis is based on the CVE record and publicly available patch details as of the publication date. Actual affected versions, patch availability, and deployment impact may vary by distribution. Verify all version numbers and patch status against your vendor's official security advisory before deploying patches. This vulnerability does not have a known public exploit (KEV status: false as of analysis date), but this status may change. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct their own risk assessment based on actual hardware inventory and kernel versions in use. Consult your system vendor and security team before making patching decisions. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2026-46118MEDIUMLinux Kernel PAPR Hypervisor Pipe Null Pointer Dereference (POWER Systems)
- CVE-2026-46127MEDIUMLinux Kernel OCRDMA Null Pointer Dereference (DoS)
- CVE-2026-46134MEDIUMLinux Kernel cros_ec Mutex Initialization DoS Vulnerability
- CVE-2026-46188MEDIUMLinux Octeon EP VF NULL Pointer Dereference Denial of Service
- CVE-2026-46211MEDIUMLinux Kernel MSM DRM NULL Pointer and Silent Error in gem_info_get_metadata
- CVE-2026-46216MEDIUMLinux Intel Arc GPU NULL Pointer Dereference (HDCP)
- CVE-2026-46222MEDIUMLinux Rockchip RKCam Driver Null Pointer Dereference