Skip to main content

Linux Kernel CVE-2026-46210

| EUVDEUVD-2026-32837 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-v3mx-wgxp-826p
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:07 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: iris: fix use-after-free of fmt_src during MBPF check

During concurrency testing, multiple instances can run in parallel, and each instance uses its own inst->lock while the core->lock protects the list of active instances. The race happens because these locks cover different scopes, inst->lock protects only the internals of a single instance, while the Macro Blocks Per Frame (MBPF) checker walks the core list under core->lock and reads fields like fmt_src->width and fmt_src->height. At the same time, iris_close() may free fmt_src and fmt_dst under inst->lock while the instance is still present in the core list. This allows a situation where the MBPF checker, still iterating through the core list, reaches an instance whose fmt_src was already freed by another thread and ends up dereferencing a dangling pointer, resulting in a use-after-free. This happens because the MBPF checker assumes that any instance in the core list is fully valid, but the freeing of fmt_src and fmt_dst without removing the instance from the core list is not correct.

The correct ordering is to defer freeing fmt_src and fmt_dst until after the instance has been removed from the core list and all teardown under the core lock has completed, ensuring that no dangling pointers are ever exposed during MBPF checks.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's iris media driver allows local users with low privileges to trigger a use-after-free condition via concurrent access during Macro Blocks Per Frame (MBPF) checks. The flaw affects Linux kernel 6.18 and stems from improper lock ordering where fmt_src and fmt_dst structures are freed under inst->lock while the instance remains in the core list traversed under core->lock. EPSS is very low at 0.02% (5th percentile) and no public exploit identified at time of analysis, but the high CVSS score reflects severe local impact.

Technical ContextAI

The vulnerability resides in the Qualcomm iris video decoder/encoder driver (drivers/media/platform/qcom/iris) within the V4L2 (Video4Linux2) subsystem of the Linux kernel. The driver implements two distinct locking scopes: inst->lock guards per-instance state, while core->lock guards the global list of active media instances. The MBPF checker walks the core-protected list and dereferences fmt_src->width and fmt_src->height format fields, but iris_close() frees these format structures under the instance lock without first removing the instance from the core list. This is a classic CWE-416 (Use After Free) caused by inconsistent lock coverage across overlapping object lifetimes - a race condition where one thread can observe and dereference memory that another thread has already freed.

RemediationAI

Vendor-released patch: upgrade to Linux kernel 7.1-rc3 (mainline) or the stable backport 7.0.9, which corrects the lock ordering by deferring the freeing of fmt_src and fmt_dst until after the instance has been removed from the core list and all core-lock teardown completes. The upstream fix commits are available at https://git.kernel.org/stable/c/3d9593ad1a58c5acc3e5fa2a48222bb7632e6812 and https://git.kernel.org/stable/c/494ffd1712a588e590e6b1e9f876a8c8b24a9180. If immediate kernel upgrade is not feasible, compensating controls include unloading the iris kernel module (modprobe -r iris) on systems that do not require hardware video acceleration - trade-off: video encode/decode performance falls back to software, increasing CPU load and battery drain on mobile devices. Additionally, restrict access to /dev/video* device nodes via udev rules or group permissions so only trusted services (not arbitrary local users or unprivileged apps) can open V4L2 handles, which reduces the attacker pool able to trigger the race.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-46210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy