Skip to main content

Linux Kernel EUVDEUVD-2026-32758

| CVE-2026-46240 HIGH
Use After Free (CWE-416)
2026-05-28 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-h697-4wx8-5625
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
May 30, 2026 - 12:11 vuln.today
CVSS changed
May 30, 2026 - 11:22 NVD
7.8 (HIGH)
Patch available
May 28, 2026 - 12:01 EUVD
CVE Published
May 28, 2026 - 10:16 nvd
UNKNOWN (no severity yet)
CVE Published
May 28, 2026 - 10:16 nvd
HIGH 7.8

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Fix use-after-free in iris_release_internal_buffers()

The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy internal buffers after FW releases") introduced a regression where session_release_buf() may free the buffer. The caller, iris_release_internal_buffers(), continued to access buffer after the call, leading to a potential use-after-free.

Fix this by setting BUF_ATTR_PENDING_RELEASE before calling session_release_buf(), and reverting the flag if the call fails. This ensures no dereference occurs after potential freeing.

AnalysisAI

Local privilege escalation potential via use-after-free in Linux Kernel iris media driver affects kernels 6.18.16-6.18.31, 6.19.6-6.19.x, and 7.0 series prior to the fix commits. The flaw resides in iris_release_internal_buffers(), where session_release_buf() may free a buffer that the caller subsequently dereferences, a regression introduced by commit 1dabf00ee206. No public exploit identified at time of analysis and EPSS probability is very low (0.02%), but local low-privileged attackers on systems with the Qualcomm iris video accelerator driver could potentially leverage the freed-memory access.

Technical ContextAI

The vulnerability lives in the Linux kernel's media subsystem, specifically the 'iris' driver (drivers/media/platform/qcom/iris) which provides V4L2 support for Qualcomm hardware video decoders/encoders found on certain Snapdragon-based platforms. The root cause is a classic use-after-free pattern (CWE-416 class, though CWE field is N/A in input): a recent refactor moved internal-buffer destruction so that it occurs after firmware releases the buffers, but the cleanup helper session_release_buf() can itself free the buffer object, leaving a dangling pointer that iris_release_internal_buffers() then dereferences. The fix sets a BUF_ATTR_PENDING_RELEASE flag before calling session_release_buf() and reverts it on failure, eliminating any post-free access. CPE data is not provided in NVD form, but EUVD enumerates affected kernel ranges 6.18.16-6.18.31, 6.19.6 up to 6.20, and the 7.0 line up to 7.0.8, with corresponding stable commits.

RemediationAI

Upgrade to a patched stable kernel: 6.18.32 or later on the 6.18.x line, 7.0.9 or later on the 7.0.x line, or 7.1-rc3 / mainline containing commit 18c64439f249859b6140f7bf8bcf95c8ed841f28. Distribution users should apply the vendor kernel update that backports these stable commits once published. As a workaround on systems where patching must be deferred, unload or blacklist the iris driver (modprobe -r iris / blacklist iris in /etc/modprobe.d), accepting that hardware-accelerated video decode/encode on affected Qualcomm SoCs will fall back to software or be unavailable. On multi-user systems, restricting /dev/video* access via udev rules or group membership reduces the population of users who can reach the vulnerable code path, with the trade-off of breaking media applications for non-privileged users. References for patch tracking: https://git.kernel.org/stable/c/18c64439f249859b6140f7bf8bcf95c8ed841f28, https://git.kernel.org/stable/c/dd24998a4a4016fb9921916024399bd80f0d45c6, https://git.kernel.org/stable/c/f27cfdcfc916bb59297825805f4c3499f89f9e76.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-32758 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy