How is CVE-2026-52907 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable driver. Authentication (required): Any low-privilege local account is sufficient to trigger the off-by-one access; no administrator rights are needed. Victim interaction (not-required): No user interaction is needed; the attacker can trigger the bug entirely on their own. Attack complexity (info): Exploitation is reliable and condition-free; no race condition or special memory layout is required.

What is the impact of CVE-2026-52907?

Reads kernel memory contents, which may expose session tokens, credentials, or other sensitive data held in kernel space. Writes to out-of-bounds kernel memory, allowing corruption of kernel data structures or escalation of privileges. Crashes the affected kernel subsystem or the entire host, causing a denial of service for all workloads on that node. Compromises the integrity of the RKCIF camera capture pipeline, which may corrupt media data processed by the driver.

Back to search

HIGHCVE-2026-52907Published 2026-06-09Modified 2026-06-14CNA Linux

CVE-2026-52907: media: rockchip: rkcif: fix off by one bugs

In the Linux kernel, the following vulnerability has been resolved: media: rockchip: rkcif: fix off by one bugs Change these comparisons from > vs >= to avoid accessing one element beyond the end of the arrays. While at it, use ARRAY_SIZE instead of the _MAX enum values. [fix cosmetic issues]

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: 0
Affected Products: 2

HarborGuard Analysis

Synopsis

An off-by-one memory access vulnerability exists in the Linux kernel's Rockchip RKCIF camera interface driver (media/rockchip/rkcif). A local attacker with a low-privilege account can trigger the flaw without any network access or user interaction. Successful exploitation gives the attacker full read, write, and crash capability over the affected kernel subsystem. A patched-image rebuild at the fix versions is available on HarborGuard for environments running an affected kernel.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle an affected kernel version. Any image in a customer registry or CI pipeline that carries a vulnerable Linux kernel build is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.8 HIGH (v3.1) and weighs it against each environment's compliance policy to determine breach-of-threshold alerting and routing. Triage findings are delivered to the inbox or ticket queue configured by each customer org, prioritized by the presence of the affected Rockchip kernel driver in scanned images.

Available

Patch

A patched-image rebuild at the fix commits (73e119036b3a, e4056b84af0f) and tagged release 7.0.4 or 7.1-rc1 becomes available in HarborGuard the moment upstream versions are confirmed. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access is required to reach the vulnerable driver.
AuthenticationRequired
Any low-privilege local account is sufficient to trigger the off-by-one access; no administrator rights are needed.
Victim interactionNot required
No user interaction is needed; the attacker can trigger the bug entirely on their own.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition or special memory layout is required.

Blast Radius

Reads kernel memory contents, which may expose session tokens, credentials, or other sensitive data held in kernel space.
Writes to out-of-bounds kernel memory, allowing corruption of kernel data structures or escalation of privileges.
Crashes the affected kernel subsystem or the entire host, causing a denial of service for all workloads on that node.
Compromises the integrity of the RKCIF camera capture pipeline, which may corrupt media data processed by the driver.

How HarborGuard Handles This

Available on HarborGuard: images containing a Linux kernel version earlier than the fix commits (73e119036b3a or e4056b84af0f) or 7.0.4 are matched and flagged within minutes of CVE ingestion. Where compliance policy permits, HarborGuard can rebuild affected images against a patched kernel base and open a pull request against the relevant workloads; for environments with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Customers who do not yet have a patched base image available can apply compensating controls in the interim: restrict container host access to trusted accounts only, apply kernel module loading policies (such as module signing or seccomp profiles) to limit exposure of the rkcif driver, and use network policy isolation to reduce the attack surface of nodes running Rockchip-based hardware. HarborGuard re-checks the advisory each ingest cycle and surfaces the rebuild the moment upstream fixes are confirmed in the base image supply chain.

See how HarborGuard automates this

Fix available

07.0.47.1-rc173e119036b3a799170ed89907b4273c07306d611e4056b84af0fc18c84b4e5741df04ecd8ca17973

Affected packages

Linux / Linux
< 73e119036b3a799170ed89907b4273c07306d611 (from 1f2353f5a1af995efbf7bea44341aa0d03460b28) · < e4056b84af0fc18c84b4e5741df04ecd8ca17973 (from 1f2353f5a1af995efbf7bea44341aa0d03460b28)
Linux / Linux
6.19
Fixed in 0, 7.0.4, 7.1-rc1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available