CVE-2026-31473
Vulnerability Summary
Timeline
Description
In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.
CVSS Metrics
- v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.13%• Percentile: 3%
Techniques & Countermeasures
- CWE-416•Use After Free
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Affected Systems
- linux•linux
≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < 331242998a7ade5c2f65e14988901614629f3db5 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < 2c685e99efb3b3bd2b78699fba6b1cf321975db0 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < 585fd9a2063dacce8b2820f675ef23d5d17434c5 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < 1a0d9083c24fbd5d22f7100f09d11e4d696a5f01 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < d8549a453d5bdc0a71de66ad47a1106703406a56 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < 72b9e81e0203f03c40f3adb457f55bd4c8eb112d | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < cf2023e84f0888f96f4b65dc0804e7f3651969c1 | ≥ 6093d3002eabd7c2913d97f1d1f4ce34b072acf9, < bef4f4a88b73e4cc550d25f665b8a9952af22773 | 4.20
- linux•linux_kernel
≥ 4.20.1, < 5.10.253 | ≥ 5.11, < 5.15.203 | ≥ 5.16, < 6.1.168 | ≥ 6.2, < 6.6.131 | ≥ 6.7, < 6.12.80 | ≥ 6.13, < 6.18.21 | ≥ 6.19, < 6.19.11 | 4.2.0 | 7.0:rc1 | 7.0:rc2 | 7.0:rc3 | 7.0:rc4 | 7.0:rc5 | 7.0:rc6 | 7.0:rc7
References (8)
- https://git.kernel.org/stable/c/331242998a7ade5c2f65e14988901614629f3db5
- https://git.kernel.org/stable/c/2c685e99efb3b3bd2b78699fba6b1cf321975db0
- https://git.kernel.org/stable/c/585fd9a2063dacce8b2820f675ef23d5d17434c5
- https://git.kernel.org/stable/c/1a0d9083c24fbd5d22f7100f09d11e4d696a5f01
- https://git.kernel.org/stable/c/d8549a453d5bdc0a71de66ad47a1106703406a56
- https://git.kernel.org/stable/c/72b9e81e0203f03c40f3adb457f55bd4c8eb112d
- https://git.kernel.org/stable/c/cf2023e84f0888f96f4b65dc0804e7f3651969c1
- https://git.kernel.org/stable/c/bef4f4a88b73e4cc550d25f665b8a9952af22773