media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen

dvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the
DVR device. dvb_ringbuffer_init() calls init_waitqueue_head(), which
reinitializes the waitqueue list head to empty.

Since dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the
same DVR device share it), this orphans any existing waitqueue entries
from io_uring poll or epoll, leaving them with stale prev/next pointers
while the list head is reset to {self, self}.

The waitqueue and spinlock in dvr_buffer are already properly
initialized once in dvb_dmxdev_init(). The open path only needs to
reset the buffer data pointer, size, and read/write positions.

Replace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct
assignment of data/size and a call to dvb_ringbuffer_reset(), which
properly resets pread, pwrite, and error with correct memory ordering
without touching the waitqueue or spinlock.

Basic Information

ID CVE-2026-23253

Source Linux

Published Mar 18, 2026 at 17:01

Modified Apr 2, 2026 at 14:44

Affected Product

Vendor Linux

Product Linux

Version 34731df288a5ffe4b0c396caf8cd24c6a710a222

Affected Versions Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222
Linux Linux 2.6.17

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: dvb-core: fix wrong reinitialization of ringbuffer on reopen\n\ndvb_dvr_open() calls dvb_ringbuffer_init() when a new reader opens the\nDVR device.  dvb_ringbuffer_init() calls init_waitqueue_head(), which\nreinitializes the waitqueue list head to empty.\n\nSince dmxdev->dvr_buffer.queue is a shared waitqueue (all opens of the\nsame DVR device share it), this orphans any existing waitqueue entries\nfrom io_uring poll or epoll, leaving them with stale prev/next pointers\nwhile the list head is reset to {self, self}.\n\nThe waitqueue and spinlock in dvr_buffer are already properly\ninitialized once in dvb_dmxdev_init().  The open path only needs to\nreset the buffer data pointer, size, and read/write positions.\n\nReplace the dvb_ringbuffer_init() call in dvb_dvr_open() with direct\nassignment of data/size and a call to dvb_ringbuffer_reset(), which\nproperly resets pread, pwrite, and error with correct memory ordering\nwithout touching the waitqueue or spinlock.",
    "published": "2026-03-18T17:01:44.126Z",
    "modified": "2026-04-02T14:44:00.996Z",
    "type": "cve",
    "title": "media: dvb-core: fix wrong reinitialization of ringbuffer on reopen",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/f1e520ca2e83ece6731af6167c9e5e16931ecba0\nhttps://git.kernel.org/stable/c/af050ab44fa1b1897a940d7d756e512232f5e5df\nhttps://git.kernel.org/stable/c/d71781bad59b1c9d60d7068004581f9bf19c0c9d\nhttps://git.kernel.org/stable/c/cfd94642025e6f71c8f754bdec0800ee95e4f3dd\nhttps://git.kernel.org/stable/c/32eb8e4adc207ef31bc6e5ae56bab940b0176066\nhttps://git.kernel.org/stable/c/bfbc0b5b32a8f28ce284add619bf226716a59bc0",
    "id": "CVE-2026-23253",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 34731df288a5ffe4b0c396caf8cd24c6a710a222\nLinux Linux 2.6.17",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "34731df288a5ffe4b0c396caf8cd24c6a710a222",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

media: dvb-core: fix wrong reinitialization of ringbuffer on reopen_CVE-2026-23253

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply