CVE-2026-31473
Received Received - Intake
Use-After-Free in Linux Kernel Media Request Queue Serialization

Publication date: 2026-04-22

Last updated on: 2026-04-27

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31473
EUVD
EUVD-2026-24825
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
linux linux_kernel 4.20
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel 7.0
linux linux_kernel From 5.11 (inc) to 5.15.203 (exc)
linux linux_kernel From 5.16 (inc) to 6.1.168 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.21 (exc)
linux linux_kernel From 6.19 (inc) to 6.19.11 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.131 (exc)
linux linux_kernel From 6.7 (inc) to 6.12.80 (exc)
linux linux_kernel From 4.20.1 (inc) to 5.10.253 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's media subsystem, specifically in the mc and v4l2 components. It involves a race condition where the MEDIA_REQUEST_IOC_REINIT operation can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This concurrency can cause a use-after-free issue by racing request object cleanup against vb2 queue cancellation.

The fix involves serializing the request queueing operations by extending the use of the req_queue_mutex to include REQBUFS and taking the same mutex in media_request_ioctl_reinit(). This ensures that request cleanup and queue cancellation do not run in parallel for request-capable devices, preventing the race condition.

Impact Analysis

This vulnerability can lead to use-after-free conditions in the Linux kernel's media subsystem. Use-after-free bugs can cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if exploited.

Therefore, if your system uses request-capable media devices relying on the affected kernel components, this vulnerability could impact system reliability and security.

Mitigation Strategies

The vulnerability has been resolved by serializing request queueing operations in the Linux kernel media subsystem using the req_queue_mutex. To mitigate this vulnerability, you should update your Linux kernel to a version that includes this fix.

This update ensures that MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS operations are properly serialized, preventing use-after-free conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31473. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart