Skip to main content

Linux Kernel EUVDEUVD-2026-24825

| CVE-2026-31473 HIGH
Use After Free (CWE-416)
2026-04-22 416baaa9-dc9f-4396-8d5f-8c081fb06d67
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Re-analysis Queued
Apr 27, 2026 - 23:37 vuln.today
cvss_changed
Patch released
Apr 27, 2026 - 23:27 nvd
Patch available
Analysis Generated
Apr 27, 2026 - 14:31 vuln.today
CVSS changed
Apr 27, 2026 - 14:22 NVD
7.8 (HIGH)
Patch available
Apr 22, 2026 - 16:33 EUVD
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24825
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex

MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports.

We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain.

This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.

AnalysisAI

Use-after-free in Linux kernel media subsystem allows local authenticated attackers to potentially execute arbitrary code, escalate privileges, or cause system crashes. The race condition between MEDIA_REQUEST_IOC_REINIT and VIDIOC_REQBUFS(0) affects request-capable V4L2 media devices in kernels since version 4.20. Patches are available across multiple stable kernel branches (5.10.253, 5.15.203, 6.1.168, 6.6.131, 6.12.80, 6.18.21, 6.19.11, and 7.0). EPSS score of 0.02% indicates very low likelihood of mass exploitation, and no active exploitation or public POC has been identified.

Technical ContextAI

This vulnerability affects the Video4Linux2 (V4L2) media controller framework and videobuf2 (vb2) subsystems in the Linux kernel. The media request API, introduced in kernel 4.20, allows applications to atomically configure and queue multiple parameters for media devices like cameras and video capture hardware. The req_queue_mutex was originally designed to serialize request queueing operations with stream control (STREAMON/STREAMOFF), but did not protect the MEDIA_REQUEST_IOC_REINIT ioctl or VIDIOC_REQBUFS(0) queue teardown. This creates a time-of-check-time-of-use (TOCTOU) race window where request object cleanup can execute concurrently with vb2 queue cancellation, leading to use-after-free conditions when the same memory is accessed by both operations. The vulnerability represents a classic synchronization failure in kernel subsystem boundaries where two ioctl paths lack proper mutual exclusion despite operating on shared state.

RemediationAI

Update to patched kernel versions: 5.10.253+ for 5.10.x series, 5.15.203+ for 5.15.x series, 6.1.168+ for 6.1.x series, 6.6.131+ for 6.6.x series, 6.12.80+ for 6.12.x series, 6.18.21+ for 6.18.x series, 6.19.11+ for 6.19.x series, or 7.0+ for mainline. Patch commits are available at https://git.kernel.org/stable/ with commit IDs 72b9e81e0203 (mainline), bef4f4a88b73 (6.19.x), cf2023e84f08 (6.18.x), and multiple stable branch backports. If immediate patching is not feasible, restrict local user access to /dev/media* and /dev/video* device nodes through udev rules or filesystem permissions to limit the attack surface to trusted processes only - note this breaks legitimate camera/video applications for restricted users. Alternatively, disable the media controller request API by blacklisting affected media drivers (device-specific, typically CONFIG_VIDEO_* modules) if media functionality is not business-critical - this prevents system use of cameras and capture devices. Both workarounds significantly reduce system functionality and should be temporary measures only.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-24825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy