CVE-2026-46011
Analyzed Analyzed - Analysis Complete
Use-After-Free in MediaTek JPEG Driver Due to Uncancelled Work

Publication date: 2026-05-27

Last updated on: 2026-06-16

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: fix use-after-free in release path due to uncancelled work The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed. Race condition: CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx kfree(ctx) // freed! access ctx // UAF! The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory. Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock. Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-46011
EUVD
EUVD-2026-32308
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
linux linux_kernel From 6.7 (inc) to 6.12.86 (exc)
linux linux_kernel From 6.2 (inc) to 6.6.140 (exc)
linux linux_kernel From 6.13 (inc) to 6.18.27 (exc)
linux linux_kernel From 6.19 (inc) to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves a use-after-free condition in the mtk-jpeg driver within the Linux kernel, specifically related to the mtk_jpeg_release() function and its handling of workqueue callbacks. Detection would require monitoring for crashes, kernel warnings, or memory corruption related to the mtk-jpeg device operations.

Since this is a kernel-level race condition triggered during JPEG encode/decode operations, there are no direct network-based detection commands.

To detect if the vulnerable code is present, you can check the kernel version or inspect the source code for the presence or absence of the fix (calling cancel_work_sync() before mutex acquisition in mtk_jpeg_release).

For runtime detection, monitoring kernel logs for use-after-free or related memory access errors when using the mtk-jpeg device might help.

  • Check kernel logs for errors: sudo dmesg | grep -i mtk_jpeg
  • Use kernel debugging tools like kmemcheck or KASAN to detect use-after-free issues if enabled.
  • Verify if the system is running a patched kernel version that includes the fix.
Executive Summary

This vulnerability is a use-after-free issue in the Linux kernel's media component, specifically in the mtk-jpeg driver. The function mtk_jpeg_release() frees a context structure without first cancelling any pending or running work associated with it. This creates a race condition where a workqueue callback might still access the freed memory, leading to undefined behavior or potential crashes.

The problem occurs because the work is queued during JPEG encode/decode operations, and if the device is closed while work is still pending or running, the work handler accesses memory that has already been freed.

The fix involves calling cancel_work_sync() before acquiring a mutex to ensure that any pending work is cancelled safely without causing deadlocks.

Impact Analysis

This vulnerability can lead to use-after-free conditions, which may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges if they can trigger the race condition.

Since the issue involves accessing freed memory, it could be exploited to corrupt memory or cause denial of service in systems using the affected mtk-jpeg driver.

Mitigation Strategies

To mitigate this vulnerability, ensure that the Linux kernel version you are using includes the fix for the mtk-jpeg use-after-free issue.

The fix involves calling cancel_work_sync() before acquiring the mutex in the mtk_jpeg_release() function to prevent the race condition.

If you are maintaining or patching the kernel, verify that the release path cancels any pending or running work in ctx->jpeg_work before freeing the context structure.

As an immediate step, avoid closing the device while JPEG encode/decode work is still pending or running to reduce the risk of triggering the use-after-free.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46011. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart