In the Linux kernel, the following vulnerability has been resolved:
media: chips-media: wave5: Fix kthread worker destruction in polling mode
Fix the cleanup order in polling mode (irq < 0) to prevent kernel warnings during module removal. Cancel the hrtimer before destroying the kthread worker to ensure work queues are empty.
In polling mode, the driver uses hrtimer to periodically trigger wave5vputimercallback() which queues work via kthreadqueuework(). The kthreaddestroyworker() function validates that both work queues are empty with WARNON(!listempty(&worker->worklist)) and WARNON(!listempty(&worker->delayedworklist)).
The original code called kthreaddestroyworker() before hrtimercancel(), creating a race condition where the timer could fire during worker destruction and queue new work, triggering the WARNON.
This causes the following warning on every module unload in polling mode:
------------[ cut here ]------------ WARNING: CPU: 2 PID: 1034 at kernel/kthread.c:1430 kthreaddestroyworker+0x84/0x98 Modules linked in: wave5(-) rpmsgctrl rpmsgchar ... Call trace: kthreaddestroyworker+0x84/0x98 wave5vpuremove+0xc8/0xe0 [wave5] platform_remove+0x30/0x58 ... ---[ end trace 0000000000000000 ]---
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43293.json",
"cna_assigner": "Linux"
}