media: iris: Fix use-after-free in iris_release_internal_buffers()_CVE-2026-46240

7.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In the Linux kernel, the following vulnerability has been resolved:

media: iris: Fix use-after-free in iris_release_internal_buffers()

The recent change in commit 1dabf00ee206 ("media: iris: gen1: Destroy
internal buffers after FW releases") introduced a regression where
session_release_buf() may free the buffer. The caller,
iris_release_internal_buffers(), continued to access `buffer` after the
call, leading to a potential use-after-free.

Fix this by setting BUF_ATTR_PENDING_RELEASE before calling
session_release_buf(), and reverting the flag if the call fails. This
ensures no dereference occurs after potential freeing.

Basic Information

ID CVE-2026-46240

Source Linux

Published May 28, 2026 at 09:41

Modified May 30, 2026 at 10:49

Affected Product

Vendor Linux

Product Linux

Version 7cde76db8883ec8a3d1456068079ecadbfb15ca5

Affected Versions Linux Linux 7cde76db8883ec8a3d1456068079ecadbfb15ca5
Linux Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338
Linux Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338
Linux Linux d4457f23ac0130240053a34be663f0fade3bb371
Linux Linux 6.18.16
Linux Linux 6.19.6
Linux Linux 7.0

References

{
    "lastseen": "",
    "description": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: Fix use-after-free in iris_release_internal_buffers()\n\nThe recent change in commit 1dabf00ee206 (\"media: iris: gen1: Destroy\ninternal buffers after FW releases\") introduced a regression where\nsession_release_buf() may free the buffer. The caller,\niris_release_internal_buffers(), continued to access `buffer` after the\ncall, leading to a potential use-after-free.\n\nFix this by setting BUF_ATTR_PENDING_RELEASE before calling\nsession_release_buf(), and reverting the flag if the call fails. This\nensures no dereference occurs after potential freeing.",
    "published": "2026-05-28T09:41:08.376Z",
    "modified": "2026-05-30T10:49:34.839Z",
    "type": "cve",
    "title": "media: iris: Fix use-after-free in iris_release_internal_buffers()",
    "source": "Linux",
    "references": "https://git.kernel.org/stable/c/dd24998a4a4016fb9921916024399bd80f0d45c6\nhttps://git.kernel.org/stable/c/18c64439f249859b6140f7bf8bcf95c8ed841f28\nhttps://git.kernel.org/stable/c/f27cfdcfc916bb59297825805f4c3499f89f9e76",
    "id": "CVE-2026-46240",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Linux Linux 7cde76db8883ec8a3d1456068079ecadbfb15ca5\nLinux Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338\nLinux Linux 1dabf00ee206eceb0f08a1fe5d1ce635f9064338\nLinux Linux d4457f23ac0130240053a34be663f0fade3bb371\nLinux Linux 6.18.16\nLinux Linux 6.19.6\nLinux Linux 7.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Linux",
    "version": "7cde76db8883ec8a3d1456068079ecadbfb15ca5",
    "vendor": "Linux",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply