Skip to main content

Linux Kernel EUVDEUVD-2026-32308

| CVE-2026-46011 HIGH
Use After Free (CWE-416)
2026-05-27 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-cfrw-47v4-wfc7
7.8
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 11:36 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 27, 2026 - 19:46 EUVD
CVE Published
May 27, 2026 - 14:17 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 14:17 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

media: mtk-jpeg: fix use-after-free in release path due to uncancelled work

The mtk_jpeg_release() function frees the context structure (ctx) without first cancelling any pending or running work in ctx->jpeg_work. This creates a race window where the workqueue callback may still be accessing the context memory after it has been freed.

Race condition:

CPU 0 (release) CPU 1 (workqueue) ---------------- ------------------ close() mtk_jpeg_release() mtk_jpegenc_worker() ctx = work->data // accessing ctx

kfree(ctx) // freed! access ctx // UAF!

The work is queued via queue_work() during JPEG encode/decode operations (via mtk_jpeg_device_run). If the device is closed while work is pending or running, the work handler will access freed memory.

Fix this by calling cancel_work_sync() BEFORE acquiring the mutex. This ordering is critical: if cancel_work_sync() is called after mutex_lock(), and the work handler also tries to acquire the same mutex, it would cause a deadlock.

Note: The open error path does NOT need cancel_work_sync() because INIT_WORK() only initializes the work structure - it does not schedule it. Work is only scheduled later during ioctl operations.

AnalysisAI

Local privilege escalation and memory corruption in the Linux kernel's MediaTek JPEG (mtk-jpeg) media driver allows a local user with access to the device to trigger a use-after-free condition. The flaw occurs in mtk_jpeg_release() which frees the context structure without first cancelling pending workqueue items, creating a race window during device close where the worker thread accesses freed memory. No public exploit identified at time of analysis, and EPSS rates exploitation probability at just 0.02%, but the bug is fixed across multiple stable trees.

Technical ContextAI

The vulnerability resides in the MediaTek JPEG codec driver (drivers/media/platform/mediatek/jpeg/), which provides V4L2 hardware-accelerated JPEG encode/decode on MediaTek SoCs commonly found in ARM-based platforms and Chromebooks. The root cause is a classic use-after-free race (CWE-416 class, though not tagged in input): mtk_jpeg_device_run() queues jpeg_work via queue_work(), but the release path frees the per-file ctx structure via kfree() without invoking cancel_work_sync() first. If a close() races with an in-flight worker, mtk_jpegenc_worker() dereferences ctx after it has been freed. The fix calls cancel_work_sync() before acquiring the device mutex - ordering matters because the worker itself contends for the same mutex, so reversing the order would deadlock.

RemediationAI

Upgrade to a Linux kernel containing the fix: stable 6.6.140 or later, 6.12.86 or later, 6.18.27 or later, 7.0.4 or later, or mainline 7.1-rc1 and beyond - pull from your distribution as backports land (commits 0498b27a1542, 2209fdae5c2f, 26506a30e0e2, 34c519feef3e, e78c39f72067 at https://git.kernel.org/stable/c/<hash>). If immediate patching is not possible on MediaTek hardware, compensating controls include unloading the mtk_jpeg module (rmmod mtk_jpeg) where the hardware JPEG accelerator is not required, restricting access to /dev/video* nodes via udev rules or tighter group membership (default 'video' group), and applying seccomp or LSM policies to block untrusted processes from opening V4L2 JPEG devices. Trade-offs: disabling the module breaks hardware-accelerated JPEG encode/decode (falling back to software paths with higher CPU and power cost), and tightening /dev/video* permissions may break camera/codec features for non-privileged user sessions.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32308 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy