Description
In the Linux kernel, the following vulnerability has been resolved:

media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex

MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0)
queue teardown paths. This can race request object cleanup against vb2
queue cancellation and lead to use-after-free reports.

We already serialize request queueing against STREAMON/OFF with
req_queue_mutex. Extend that serialization to REQBUFS, and also take
the same mutex in media_request_ioctl_reinit() so REINIT is in the
same exclusion domain.

This keeps request cleanup and queue cancellation from running in
parallel for request-capable devices.
Published: 2026-04-22
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free in Linux media drivers can lead to code execution or a kernel crash
Action: Immediate patch
AI Analysis

Impact

In the Linux kernel, a race condition exists between the media request reinitialization control operation (MEDIA_REQUEST_IOC_REINIT) and the same driver’s buffer queue management ioctl (VIDIOC_REQBUFS). When these calls are executed concurrently, the cleanup of a request object can collide with the cancellation of the v4l2 buffer queue, resulting in a use‑after‑free condition. This flaw is a classic use‑after‑free bug (CWE‑416) as well as a race condition during resource cleanup (CWE‑364) and can potentially lead to arbitrary code execution or a kernel crash if an attacker can trigger the race.

Affected Systems

This issue affects any Linux kernel that implements media request handling for mc and v4l2 instances, i.e. all media request‑capable devices before the fix is applied. No specific version numbers are listed, so systems running unpatched kernels relying on the media and video4linux interfaces are potentially vulnerable.

Risk and Exploitability

The EPSS score is < 1%, indicating a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating limited known exploitation. Nonetheless, because the flaw requires only local interaction with a media device, a privileged user or a compromised application could intentionally trigger the race. The resulting memory corruption could provide a path to privilege escalation or denial of service. Attacks would likely stem from locally executing code that issues the two ioctls simultaneously or from a malicious driver. The CVSS score is 7.8.

Generated by OpenCVE AI on April 28, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a kernel update that includes the commit that serializes REINIT and REQBUFS with req_queue_mutex (referenced in the advisory).
  • Limit user access to the affected media devices by adjusting device permissions or udev rules, thereby restricting the ability to issue concurrent ioctl operations.
  • If a kernel upgrade cannot be performed immediately, disable the media request interface or block v4l2 buffer queue usage through module parameters or system configuration to mitigate race conditions.

Generated by OpenCVE AI on April 28, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4561-1 linux-6.1 security update
Debian DSA Debian DSA DSA-6238-1 linux security update
Debian DSA Debian DSA DSA-6243-1 linux security update
History

Mon, 27 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:linux:linux_kernel:4.20:-:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:*

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Sat, 25 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-364
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex MEDIA_REQUEST_IOC_REINIT can run concurrently with VIDIOC_REQBUFS(0) queue teardown paths. This can race request object cleanup against vb2 queue cancellation and lead to use-after-free reports. We already serialize request queueing against STREAMON/OFF with req_queue_mutex. Extend that serialization to REQBUFS, and also take the same mutex in media_request_ioctl_reinit() so REINIT is in the same exclusion domain. This keeps request cleanup and queue cancellation from running in parallel for request-capable devices.
Title media: mc, v4l2: serialize REINIT and REQBUFS with req_queue_mutex
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-05-11T22:09:24.920Z

Reserved: 2026-03-09T15:48:24.098Z

Link: CVE-2026-31473

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:43.863

Modified: 2026-04-27T23:27:42.777

Link: CVE-2026-31473

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-22T00:00:00Z

Links: CVE-2026-31473 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:15:39Z

Weaknesses