Skip to main content

Linux Kernel CVE-2026-31584

| EUVDEUVD-2026-25477 HIGH
Use After Free (CWE-416)
2026-04-24 Linux GHSA-5g36-g7f3-8q34
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 20:22 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 20:20 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 15:31 vuln.today
CVSS changed
Apr 27, 2026 - 15:22 NVD
7.8 (HIGH)
Patch available
Apr 24, 2026 - 16:16 EUVD
EUVD ID Assigned
Apr 24, 2026 - 15:00 euvd
EUVD-2026-25477
Analysis Generated
Apr 24, 2026 - 15:00 vuln.today
CVE Published
Apr 24, 2026 - 14:42 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: mediatek: vcodec: fix use-after-free in encoder release path

The fops_vcodec_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->encode_work. This creates a race window where the workqueue handler (mtk_venc_worker) may still be accessing the context memory after it has been freed.

Race condition:

CPU 0 (release path) CPU 1 (workqueue) --------------------- ------------------ fops_vcodec_release() v4l2_m2m_ctx_release() v4l2_m2m_cancel_job() // waits for m2m job "done" mtk_venc_worker() v4l2_m2m_job_finish() // m2m job "done" // BUT worker still running! // post-job_finish access: other ctx dereferences // UAF if ctx already freed // returns (job "done") kfree(ctx) // ctx freed

Root cause: The v4l2_m2m_ctx_release() only waits for the m2m job lifecycle (via TRANS_RUNNING flag), not the workqueue lifecycle. After v4l2_m2m_job_finish() is called, the m2m framework considers the job complete and v4l2_m2m_ctx_release() returns, but the worker function continues executing and may still access ctx.

The work is queued during encode operations via: queue_work(ctx->dev->encode_workqueue, &ctx->encode_work) The worker function accesses ctx->m2m_ctx, ctx->dev, and other ctx fields even after calling v4l2_m2m_job_finish().

This vulnerability was confirmed with KASAN by running an instrumented test module that widens the post-job_finish race window. KASAN detected:

BUG: KASAN: slab-use-after-free in mtk_venc_worker+0x159/0x180 Read of size 4 at addr ffff88800326e000 by task kworker/u8:0/12

Workqueue: mtk_vcodec_enc_wq mtk_venc_worker

Allocated by task 47: __kasan_kmalloc+0x7f/0x90 fops_vcodec_open+0x85/0x1a0

Freed by task 47: __kasan_slab_free+0x43/0x70 kfree+0xee/0x3a0 fops_vcodec_release+0xb7/0x190

Fix this by calling cancel_work_sync(&ctx->encode_work) before kfree(ctx). This ensures the workqueue handler is both cancelled (if pending) and synchronized (waits for any running handler to complete) before the context is freed.

Placement rationale: The fix is placed after v4l2_ctrl_handler_free() and before list_del_init(&ctx->list). At this point, all m2m operations are done (v4l2_m2m_ctx_release() has returned), and we need to ensure the workqueue is synchronized before removing ctx from the list and freeing it.

Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during device_run() operations.

AnalysisAI

Use-after-free in Linux kernel MediaTek video encoder allows local authenticated users to corrupt memory and potentially execute arbitrary code. The flaw affects the vcodec driver's encoder release path where ctx memory is freed before canceling scheduled workqueue tasks, enabling race conditions between cleanup and worker threads that may dereference freed memory. KASAN-confirmed exploitation requires local access with low privileges (CVSS AV:L/PR:L). Patches available for kernel versions 6.12.83, 6.18.24, 6.19.14, and 7.0.1. EPSS score of 0.02% (5th percentile) indicates very low probability of automated exploitation, with no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability resides in the MediaTek vcodec video encoder driver within the Linux kernel's V4L2 (Video4Linux2) subsystem. The affected code path involves the interaction between the V4L2 mem2mem (memory-to-memory) framework and kernel workqueues. The fops_vcodec_release() function uses v4l2_m2m_ctx_release() to clean up media contexts, which synchronizes on the m2m job lifecycle via the TRANS_RUNNING flag. However, this synchronization mechanism only waits for v4l2_m2m_job_finish() to complete, not for the underlying workqueue handler (mtk_venc_worker) to finish execution. The workqueue is scheduled via queue_work() during encoding operations and continues accessing context structure fields (ctx->m2m_ctx, ctx->dev) after the job is marked done. The CPE strings indicate this affects the core Linux kernel package across multiple stable branches. The root cause is a classic time-of-check-to-time-of-use (TOCTOU) race condition where synchronization primitives protect one resource lifecycle (m2m job) but not the dependent resource (workqueue execution) that continues to reference the freed context structure.

RemediationAI

Upgrade to patched Linux kernel versions: 6.12.83, 6.18.24, 6.19.14, 7.0.1, or later stable releases that include the fix commits. Patches available from kernel.org stable tree at https://git.kernel.org/stable/c/a8a55913552aed45108525d1851c65e1db0cc25b (mainline), https://git.kernel.org/stable/c/f99353cd0e9f58bf17889049137b8d65fb44ebf1 (6.19.x), https://git.kernel.org/stable/c/93d9a58961a9e09306857e999b3ee76aa4be67f0 (6.12.x), and https://git.kernel.org/stable/c/f1692337c6fa26e04f89b22a4d84bf5b7ada50d1 (6.18.x). The fix adds cancel_work_sync(&ctx->encode_work) before kfree(ctx) in the release path to ensure workqueue synchronization. If immediate patching is not feasible, disable or restrict access to MediaTek video encoding devices (/dev/video* nodes associated with mtk-vcodec-enc) using udev rules or device permissions to limit exposure to trusted users only - this prevents untrusted local users from triggering the vulnerable code path but eliminates hardware video encoding functionality. Alternatively, blacklist the mtk_vcodec_enc kernel module (add 'blacklist mtk_vcodec_enc' to /etc/modprobe.d/blacklist.conf) to prevent driver loading entirely, trading off all MediaTek hardware video encoding for security. Both workarounds significantly degrade multimedia performance on affected systems and should only be temporary measures pending kernel upgrade.

CVE-2017-3216 CRITICAL POC
9.8 Jun 20

WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypa

CVE-2019-15027 CRITICAL POC
9.8 Aug 14

The MediaTek Embedded Multimedia Card (eMMC) subsystem for Android on MT65xx, MT66xx, and MT8163 SoC devices allows atta

CVE-2016-6492 HIGH POC
7.8 Jan 12

The MT6573FDVT_SetRegHW function in camera_fdvt.c in the MediaTek driver for Linux allows local users to gain privileges

CVE-2021-37584 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37583 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37571 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37569 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37568 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37566 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle IEEE 1905 protocols. Rat

CVE-2021-37563 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37561 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

CVE-2021-37560 HIGH
8.8 Dec 26

MediaTek microchips, as used in NETGEAR devices through 2021-11-11 and other devices, mishandle the WPS (Wi-Fi Protected

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-31584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy