CVE-2026-46210
Received Received - Intake
Use-After-Free in Linux Kernel Iris Driver

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: media: iris: fix use-after-free of fmt_src during MBPF check During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct. The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-05-28
AI Q&A
2026-05-28
EPSS Evaluated
N/A
NVD
CVE-2026-46210
EUVD
EUVD-2026-32837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux_kernel linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to a use-after-free condition in the Linux kernel's media iris driver during concurrency operations. Specifically, it allows a situation where a thread may dereference a dangling pointer because an instance's resources (fmt_src and fmt_dst) are freed while still being referenced by another thread. This can cause undefined behavior such as crashes, memory corruption, or potential escalation of privileges depending on how the kernel handles the invalid memory access.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the Linux kernel's media iris component related to the Macro Blocks Per Frame (MBPF) checker.

During concurrent operations, multiple instances run in parallel with different locks protecting different scopes. The core lock protects the list of active instances, while each instance has its own lock protecting its internals.

The problem arises because the MBPF checker iterates over the core list under the core lock and reads fields like fmt_src->width and fmt_src->height. Meanwhile, another thread may free fmt_src and fmt_dst under the instance lock while the instance is still present in the core list.

This leads to the MBPF checker dereferencing a dangling pointer, causing a use-after-free error, because it assumes all instances in the core list are fully valid.

The fix involves deferring the freeing of fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock is complete, preventing exposure of dangling pointers during MBPF checks.


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by ensuring that the freeing of fmt_src and fmt_dst is deferred until after the instance has been removed from the core list and all teardown under the core lock has completed. Immediate mitigation would involve updating the Linux kernel to a version where this fix is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart