In the Linux kernel, the following vulnerability has been resolved:
media: vidtv: fix NULL pointer dereference in vidtvchannelpmtmatchsections
syzbot reported a general protection fault in vidtvpsidesc_assign [1].
vidtvpsipmtstreaminit() can return NULL on memory allocation failure, but vidtvchannelpmtmatchsections() does not check for this. When tail is NULL, the subsequent call to vidtvpsidesc_assign(&tail->descriptor, desc) dereferences a NULL pointer offset, causing a general protection fault.
Add a NULL check after vidtvpsipmtstreaminit(). On failure, clean up the already-allocated stream chain and return.
[1] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:vidtvpsidescassign+0x24/0x90 drivers/media/test-drivers/vidtv/vidtvpsi.c:629 Call Trace: <TASK> vidtvchannelpmtmatchsections drivers/media/test-drivers/vidtv/vidtvchannel.c:349 [inline] vidtvchannelsiinit+0x1445/0x1a50 drivers/media/test-drivers/vidtv/vidtvchannel.c:479 vidtvmuxinit+0x526/0xbe0 drivers/media/test-drivers/vidtv/vidtvmux.c:519 vidtvstartstreaming drivers/media/test-drivers/vidtv/vidtvbridge.c:194 [inline] vidtvstartfeed+0x33e/0x4d0 drivers/media/test-drivers/vidtv/vidtvbridge.c:239
{
"cna_assigner": "Linux",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31599.json"
}