CVE-2026-46240
Use-After-Free in Linux Kernel Iris Driver
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: kernel.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux_kernel | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a use-after-free issue in the Linux kernel's media driver for iris. A recent change caused a regression where a buffer could be freed by the function session_release_buf(), but the caller iris_release_internal_buffers() would still access that buffer afterward. Accessing memory after it has been freed can lead to undefined behavior and potential security risks.
The fix involves setting a flag (BUF_ATTR_PENDING_RELEASE) before calling session_release_buf() to indicate the buffer is pending release, and reverting the flag if the call fails. This prevents any dereference of the buffer after it might have been freed.
How can this vulnerability impact me? :
A use-after-free vulnerability can lead to system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges by exploiting the freed memory access. In this case, it affects the Linux kernel's media driver, which could impact systems using this driver if exploited.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed by updating the Linux kernel to a version that includes the patch which sets BUF_ATTR_PENDING_RELEASE before calling session_release_buf() and reverts the flag if the call fails. This prevents use-after-free by ensuring no dereference occurs after potential freeing.
Therefore, the immediate step is to apply the updated Linux kernel that contains this fix.