Skip to main content

Linux Kernel CVE-2026-46058

| EUVDEUVD-2026-32440 HIGH
Race Condition (CWE-362)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-j7pj-jr9c-8hg7
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:42 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: amphion: Fix race between m2m job_abort and device_run

Fix kernel panic caused by race condition where v4l2_m2m_ctx_release() frees m2m_ctx while v4l2_m2m_try_run() is about to call device_run with the same context.

Race sequence: v4l2_m2m_try_run(): v4l2_m2m_ctx_release(): lock/unlock v4l2_m2m_cancel_job() job_abort() v4l2_m2m_job_finish() kfree(m2m_ctx) <- frees ctx device_run() <- use-after-free crash at 0x538

Crash trace: Unable to handle kernel read from unreadable memory at virtual address 0000000000000538 v4l2_m2m_try_run+0x78/0x138 v4l2_m2m_device_run_work+0x14/0x20

The amphion vpu driver does not rely on the m2m framework's device_run callback to perform encode/decode operations.

Fix the race by preventing m2m framework job scheduling entirely:

  • Add job_ready callback returning 0 (no jobs ready for m2m framework)
  • Remove job_abort callback to avoid the race condition

AnalysisAI

Use-after-free in the Linux kernel's amphion VPU media driver allows local privileged users to trigger a kernel panic and potential memory corruption due to a race condition between v4l2_m2m_ctx_release() and v4l2_m2m_try_run(). The flaw affects systems using the amphion video encode/decode driver (introduced in 5.18) and has been resolved upstream by removing reliance on the m2m framework's job scheduling. No public exploit identified at time of analysis and EPSS is very low (0.02%), but the local high-impact CVSS of 7.8 makes it relevant for multi-tenant or hardened kernel deployments.

Technical ContextAI

The vulnerability lives in drivers/media/platform/amphion, the Video Processing Unit driver used on NXP i.MX8 platforms for hardware-accelerated H.264/H.265/VP8 encode and decode. It interacts with the V4L2 mem-to-mem (m2m) framework, which schedules device_run callbacks for queued buffers. The amphion driver does not actually rely on the m2m device_run path, yet it kept job_abort registered - letting v4l2_m2m_ctx_release() invoke v4l2_m2m_cancel_job() and free the m2m_ctx while v4l2_m2m_try_run() was concurrently about to dereference it, classically a CWE-416 use-after-free (the CWE field is reported as N/A but the trace and fix make the class unambiguous). The fix neutralizes the m2m scheduler for this driver by adding a job_ready callback that always returns 0 and dropping the job_abort callback.

RemediationAI

Upgrade to a Linux stable kernel containing the fix: 6.6.140, 6.12.86, 6.18.27, 7.0.4, or mainline 7.1-rc1 or later, pulling commits 42dc622776f3 / 6be2cb75bc13 / 8cd35ceadcfc / da4f46c5cf1d / fdc150dac1ad as referenced at https://git.kernel.org/stable/c/42dc622776f3ce1a6c31b13bdc686f7295e3b323. If a kernel update is not immediately possible, the most direct compensating control is to unload or blacklist the amphion modules (amphion-vpu, amphion-vpu-windsor, amphion-vpu-malone) and remove the corresponding /dev/video* and /dev/media* nodes, which eliminates the attack surface entirely but disables hardware video encode/decode on the affected SoC and will force userspace to fall back to software codecs. Where the driver must remain loaded, restrict access to the V4L2 device nodes to a trusted 'video' group via udev rules and avoid granting that group to untrusted containers or sandboxes; this reduces but does not remove the race window.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy