CVE-2026-46239: Linux OV5647 Camera Driver Runtime PM Reference Leak
A memory management bug in the Linux kernel's OV5647 camera driver causes system resources to not be properly released when certain camera control operations are performed. Specifically, three control settings—autogain, automatic exposure, and analog gain—skip the cleanup step that tells the system a resource is no longer needed, leaving the system in a degraded state. Repeated use of these controls can exhaust system resources and cause the kernel to become unstable or unresponsive.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- —
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
In the Linux kernel, the following vulnerability has been resolved: media: i2c: ov5647: Fix runtime PM refcount leak in s_ctrl Three control cases (AUTOGAIN, EXPOSURE_AUTO, ANALOGUE_GAIN) directly return without calling pm_runtime_put(), causing runtime PM reference count leaks. Change these cases from 'return' to 'ret = ... break' pattern to ensure pm_runtime_put() is always called before function exit.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46239 is a runtime PM (power management) reference count leak in the Linux kernel's OV5647 camera sensor driver (drivers/media/i2c/ov5647.c). The s_ctrl() function handles camera control settings but contains three early-return paths in cases for V4L2_CID_AUTOGAIN, V4L2_CID_EXPOSURE_AUTO, and V4L2_CID_ANALOGUE_GAIN that exit without invoking pm_runtime_put(). The function acquires a runtime PM reference via pm_runtime_get_sync() at entry but these three code paths bypass the corresponding release, causing the reference counter to become incremented without proper decrement. Over time or under repeated access patterns, this leads to reference count saturation and prevents the driver from properly managing device power states.
Business impact
For organizations deploying Linux systems with OV5647-based camera hardware (common in embedded systems, robotics, and IoT devices), this vulnerability creates operational risk through potential system instability. Repeated invocation of affected camera controls can degrade overall system responsiveness and may trigger out-of-memory conditions or prevent proper device suspension, increasing power consumption and reducing device lifespan. Systems in production environments relying on camera functionality may experience unexpected hangs or require more frequent reboots.
Affected systems
The Linux kernel is affected across all versions prior to the patch. Systems with OV5647 camera sensors—typically found in single-board computers (Raspberry Pi and similar platforms), embedded vision systems, and IoT camera modules—are at risk when running vulnerable kernel versions. The vulnerability only manifests when the affected camera control operations are actively used; systems with the OV5647 sensor present but not exercising those specific controls may not exhibit symptoms.
Exploitability
This vulnerability requires local code execution capability; an unprivileged local process or user with camera device access can trigger the resource leak by repeatedly invoking the affected V4L2 control operations through standard camera APIs. No special privileges are required beyond the ability to open and control the camera device (typically available to users in the video group). Network-based or remote exploitation is not possible. The attack surface is limited to local authenticated users or applications with camera permissions.
Remediation
Apply the Linux kernel patch that corrects the s_ctrl() function to use a structured return pattern (ret = ... ; break;) instead of direct return statements for the three affected control cases. This ensures pm_runtime_put() executes before all code paths exit. Verify the patch version against your kernel maintainer's advisory; the fix is straightforward and low-risk. After patching, reboot systems to load the corrected kernel.
Patch guidance
Monitor your Linux distribution's kernel security advisories for availability of patched versions. The fix involves restructuring the three control case handlers to set a return value and break out of the switch statement rather than returning directly, allowing cleanup code to execute. Verify against your kernel source tree or distribution's advisory for the specific patched version targeting your release. Standard kernel update procedures (apt, yum, or distribution-specific package management) should provide the patched version once available. Test patched kernels in non-production environments first, particularly on systems with active camera workloads.
Detection guidance
Monitor system logs and kernel messages for signs of PM refcount imbalance; tools like 'pm-utils' or custom kernel instrumentation can track runtime PM reference counts over time. Watch for unexpected power state transitions, increased power consumption on camera-equipped systems, or sporadic system hangs correlating with camera usage. On affected systems, enabling kernel runtime PM debugging (via /sys/module/pm_runtime/parameters/debug) can expose reference count anomalies. In production, correlation of system responsiveness degradation with camera control API invocation patterns may signal exploitation.
Why prioritize this
Although CVSS score is moderate (5.5), this vulnerability poses elevated concern for embedded and IoT deployments where camera-equipped systems must remain stable for extended periods. The local-only attack vector and requirement for camera access limit immediate risk, but systems in production environments with continuous camera workloads should prioritize patching to prevent gradual resource exhaustion. Organizations operating camera-based robotics, surveillance, or sensing platforms should treat this as a high-priority stability fix.
Risk score, explained
CVSS 3.1 score of 5.5 (MEDIUM) reflects Attack Vector: Local, Access Complexity: Low, Privilege: Low, reflecting that unprivileged local users with camera access can trigger the leak without special exploit requirements. The scoring emphasizes Availability (High impact) since the primary harm is denial of service through resource exhaustion, while Confidentiality and Integrity are unaffected. The moderate score appropriately balances the need for local presence against the severity of resource exhaustion on embedded systems.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. The vulnerability requires local code execution or the ability to issue camera control commands on the target system. It cannot be exploited over the network.
Does every OV5647 system show this problem immediately?
No. The leak only occurs when the affected camera controls (autogain, automatic exposure, or analog gain) are actively invoked. Systems with the sensor present but not using these specific controls will not exhibit symptoms. The leak becomes observable only under repeated or sustained usage patterns.
What happens if I don't patch?
Over time, the PM reference counter may become exhausted, preventing the driver from properly managing the camera device's power state. This can lead to unexpected hangs, reduced system responsiveness, or inability to suspend the device, increasing power consumption. Systems with heavy camera workloads are at higher risk.
Is there a workaround if I cannot patch immediately?
Operationally, reducing the frequency or scope of camera control adjustments (autogain, exposure automation, gain adjustments) may slow symptom onset, but this is not a reliable workaround. Patching is the definitive fix and should be prioritized.
This analysis is based on the CVE record and kernel vulnerability description as of the published date. CVSS and severity scores reflect official NVD methodology. Organizations should verify patch availability and compatibility with their specific kernel versions and distributions before deploying. This vulnerability should not be assumed to be actively exploited in the wild; affected status depends on kernel version in use. No exploit code or weaponization details are provided. For authoritative patch status and timelines, consult your Linux distribution's security advisories and the Linux Kernel Security Team. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Affected vendors
Related vulnerabilities
- CVE-2025-71313MEDIUMLinux Kernel PCI Endpoint NULL Pointer Dereference
- CVE-2025-71314MEDIUMLinux Panthor GPU Driver Denial of Service via Cache Flush Timeout
- CVE-2026-10004MEDIUMChrome UI Spoofing Vulnerability – Password Dialog Hijacking
- CVE-2026-10018MEDIUMInteger Overflow in Chrome ANGLE GPU Graphics Layer
- CVE-2026-10912MEDIUMChrome Extension Same-Origin Policy Bypass (CVSS 6.5)
- CVE-2026-10916MEDIUMChrome DevTools UXSS Vulnerability
- CVE-2026-10998MEDIUMChrome Media Out-of-Bounds Memory Read Vulnerability
- CVE-2026-11004MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure